CVE-2021-22986 Overview
CVE-2021-22986 is a critical unauthenticated remote command execution vulnerability affecting the iControl REST interface in F5 BIG-IP and BIG-IQ products. This vulnerability allows remote attackers to execute arbitrary system commands without authentication, potentially leading to complete system compromise of affected F5 appliances. Given the critical role that F5 BIG-IP devices play in enterprise network infrastructure as load balancers, application delivery controllers, and security gateways, successful exploitation poses severe risks to organizational security.
Critical Impact
This vulnerability enables unauthenticated remote attackers to execute arbitrary commands with root privileges on affected F5 BIG-IP and BIG-IQ systems, potentially compromising network infrastructure and downstream applications.
Affected Products
- F5 BIG-IP versions 16.0.x before 16.0.1.1
- F5 BIG-IP versions 15.1.x before 15.1.2.1
- F5 BIG-IP versions 14.1.x before 14.1.4
- F5 BIG-IP versions 13.1.x before 13.1.3.6
- F5 BIG-IP versions 12.1.x before 12.1.5.3
- F5 BIG-IQ versions 7.1.0.x before 7.1.0.3
- F5 BIG-IQ versions 7.0.0.x before 7.0.0.2
- F5 BIG-IP Access Policy Manager
- F5 BIG-IP Advanced Firewall Manager
- F5 BIG-IP Advanced Web Application Firewall
- F5 BIG-IP Analytics
- F5 BIG-IP Application Acceleration Manager
- F5 BIG-IP Application Security Manager
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Domain Name System
- F5 BIG-IP Fraud Protection Service
- F5 BIG-IP Global Traffic Manager
- F5 BIG-IP Link Controller
- F5 BIG-IP Local Traffic Manager
- F5 BIG-IP Policy Enforcement Manager
- F5 SSL Orchestrator
Discovery Timeline
- March 31, 2021 - CVE-2021-22986 published to NVD
- October 27, 2025 - Last updated in NVD database
Technical Details for CVE-2021-22986
Vulnerability Analysis
The vulnerability resides in the iControl REST interface, which is a management API used for programmatic control of F5 BIG-IP and BIG-IQ devices. The underlying weakness is classified as CWE-918 (Server-Side Request Forgery), which in this case enables attackers to bypass authentication mechanisms and execute arbitrary commands on the target system.
The iControl REST API is designed to facilitate automation and orchestration of F5 appliances. However, due to insufficient validation of authentication tokens and improper access controls, remote attackers can craft malicious requests that bypass authentication entirely. Once authenticated controls are bypassed, attackers can leverage the API's command execution capabilities to run arbitrary system commands with elevated privileges.
This vulnerability is particularly dangerous because F5 BIG-IP devices typically sit at critical junctures in enterprise networks, managing traffic flow, SSL termination, and application security. Compromise of these devices can provide attackers with visibility into network traffic, the ability to intercept sensitive data, and a pivot point for lateral movement within the network.
Root Cause
The root cause of CVE-2021-22986 stems from a Server-Side Request Forgery (SSRF) weakness in the iControl REST interface's authentication handling. The vulnerability allows attackers to forge requests that the server processes as if they originated from a trusted source, effectively bypassing the authentication layer. This occurs because the interface fails to properly validate the origin and authenticity of incoming requests before processing privileged operations.
Attack Vector
The attack is network-based and requires no user interaction or prior authentication. An attacker with network access to the management interface (typically on port 443) can exploit this vulnerability by sending specially crafted HTTP requests to the iControl REST API endpoints.
The exploitation chain typically involves:
- Identifying an exposed BIG-IP or BIG-IQ management interface
- Crafting malicious requests that exploit the SSRF vulnerability to bypass authentication
- Leveraging the authenticated session to execute arbitrary commands through the API
- Achieving command execution with root-level privileges on the underlying system
The vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. Public exploit code is available through resources such as Packet Storm Security, which documents both the SSRF component and the subsequent remote code execution chain.
Detection Methods for CVE-2021-22986
Indicators of Compromise
- Unusual HTTP POST requests to /mgmt/tm/util/bash or other iControl REST API endpoints from external IP addresses
- Authentication bypass attempts visible in /var/log/restjavad.0.log logs showing requests processed without valid authentication tokens
- Unexpected command execution or process spawning on BIG-IP systems, particularly from the REST API service context
- Network traffic to/from the management interface on port 443 from unexpected sources
Detection Strategies
- Implement network intrusion detection rules to identify exploitation attempts targeting iControl REST API endpoints with characteristic SSRF payloads
- Monitor web application firewall logs for requests containing command injection patterns directed at F5 management interfaces
- Deploy SIEM correlation rules to detect anomalous administrative actions on BIG-IP devices that lack corresponding legitimate administrator sessions
- Review authentication logs for patterns indicating authentication bypass, such as privileged actions without preceding successful login events
Monitoring Recommendations
- Enable detailed logging on all F5 BIG-IP and BIG-IQ management interfaces and forward logs to a centralized SIEM platform
- Implement network segmentation monitoring to detect any traffic to management interfaces from unauthorized network segments
- Configure alerts for any new administrative users created or configuration changes made outside of normal change windows
- Monitor for outbound connections from BIG-IP devices to unexpected external hosts, which may indicate post-exploitation activity
How to Mitigate CVE-2021-22986
Immediate Actions Required
- Apply the vendor-provided security patches immediately by upgrading to the fixed versions: BIG-IP 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, or 12.1.5.3; BIG-IQ 7.1.0.3 or 7.0.0.2
- Restrict network access to the iControl REST interface (port 443) to only authorized management networks using firewall rules or network segmentation
- Review system logs and configurations for signs of compromise, particularly checking for unauthorized user accounts or modified configurations
- Implement multi-factor authentication for management access where supported
Patch Information
F5 has released security patches addressing CVE-2021-22986 in the following versions:
- BIG-IP 16.0.1.1 and later
- BIG-IP 15.1.2.1 and later
- BIG-IP 14.1.4 and later
- BIG-IP 13.1.3.6 and later
- BIG-IP 12.1.5.3 and later
- BIG-IQ 7.1.0.3 and later
- BIG-IQ 7.0.0.2 and later
Organizations should consult the F5 Support Article K03009991 for detailed upgrade instructions and additional mitigation guidance.
Workarounds
- Block access to the iControl REST interface from all untrusted networks by implementing strict firewall rules that only allow management access from designated administrative subnets
- If the management interface must be exposed, implement a VPN or bastion host requirement for all administrative access to F5 devices
- Disable self-IP port lockdown for management services if not required, reducing the attack surface
- Consider implementing network-level intrusion prevention systems with signatures for CVE-2021-22986 exploitation attempts as an additional layer of defense
# Example: Restrict iControl REST access to specific management network
# This should be implemented at the network firewall level
# Block external access to management interface (port 443)
# Allow only from trusted management CIDR (e.g., 10.0.0.0/24)
# On BIG-IP, verify Self IP port lockdown settings:
tmsh list net self all-properties | grep -A5 "allow-service"
# Recommended: Set port lockdown to "none" or specific required services only
tmsh modify net self <self-ip-name> allow-service none
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
