Redazione RHC : 20 October 2025 14:44
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are issuing this Joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2022-1388 .
This vulnerability, recently disclosed in certain releases of F5 Networks, Inc. (F5) BIG-IP, allows an unauthenticated attacker to gain control of affected systems via the management port or personal IP addresses. F5 released a patch for CVE-2022-1388 on May 4, 2022, and proof-of-concept (POC) exploits have since been made public, allowing less sophisticated attackers to exploit the vulnerability.
Due to previous exploitation of F5 BIG-IP vulnerabilities , CISA and MS-ISAC believe unpatched F5 BIG-IP devices are an attractive target; organizations that have not applied the patch are vulnerable to attacks that take control of their systems.
The Internet watchdog Shadowserver is currently monitoring 266,978 IP addresses with a BIG-IP F5 signature, approximately 2,500 of which are in Italy. In addition to the American systems, there are approximately 100,000 devices in Europe and Asia. Specifically, in the Netherlands, 3,800 systems are exposed.
These figures illustrate the massive scale of the F5 security incident that broke news earlier this week. The security firm reported that state-run hackers had access to its BIG-IP product development environment for months. F5 BIG-IP products are present throughout corporate networks, providing load balancing, firewalls, and access control for critical applications. The fact that hundreds of thousands of these systems are now publicly visible makes them attractive targets for cybercriminals.
CVE-2022-1388 is a critical iControl REST authentication bypass vulnerability that affects the following versions of F5 BIG-IP:[ 1 ]
An unauthenticated actor with network access to the BIG-IP system via the management port or personal IP addresses could exploit the vulnerability to execute arbitrary system commands, create or delete files, or disable services. F5 released a patch for CVE-2022-1388 for all affected versions, except versions 12.1.x and 11.6.x, on May 4, 2022 (versions 12.1.x and 11.6.x are end-of-life [EOL] and F5 has stated that it will not release patches).[ 2 ]
POC exploits for this vulnerability have been made public, and on May 11, 2022, CISA added this vulnerability to its catalog of known exploited vulnerabilities , based on evidence of active exploitation. Due to the POCs and ease of exploitation, CISA and MS-ISAC anticipate widespread exploitation of unpatched F5 BIG-IP devices in government and private networks.
CISA recommends that administrators, particularly organizations that have not immediately applied the patch,:
Redazione