Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-28883

CVE-2024-28883: F5 BIG-IP APM Auth Bypass Vulnerability

CVE-2024-28883 is an origin validation flaw in F5 BIG-IP Access Policy Manager that enables attackers to bypass endpoint inspection on VPN clients. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-28883 Overview

CVE-2024-28883 is an origin validation vulnerability [CWE-346] in the F5 BIG-IP Access Policy Manager (APM) browser network access VPN client. The flaw affects the client component on Windows, macOS, and Linux platforms. An attacker can bypass F5 endpoint inspection by exploiting improper validation of the request origin between the browser and the VPN client. Successful exploitation allows non-compliant endpoints to establish VPN sessions that should have been blocked by posture checks. F5 published advisory K000138744 documenting the affected versions and remediation guidance. Software versions that have reached End of Technical Support are not evaluated in the advisory.

Critical Impact

Attackers can bypass F5 BIG-IP APM endpoint inspection controls, allowing non-compliant or malicious endpoints to gain VPN access to protected corporate networks.

Affected Products

  • F5 BIG-IP Access Policy Manager (APM)
  • F5 BIG-IP Access Policy Manager Client (browser network access VPN client)
  • Client platforms: Windows, macOS, and Linux

Discovery Timeline

  • 2024-05-08 - CVE-2024-28883 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-28883

Vulnerability Analysis

The vulnerability resides in the trust relationship between the BIG-IP APM browser plugin and the local network access VPN client. F5 endpoint inspection relies on the VPN client to evaluate posture requirements, such as antivirus status, patch level, and host identity, before permitting access. The client accepts inspection requests without adequately validating the origin of the caller. An attacker can craft requests that appear to originate from a legitimate BIG-IP APM server or browser context. This causes the client to return manipulated or fabricated posture results.

Root Cause

The root cause is improper origin validation [CWE-346] in the inter-process communication path between the browser and the local VPN client component. The client does not sufficiently verify that inbound inspection or control messages originate from a trusted BIG-IP APM endpoint. This weakness undermines the integrity assumption on which the endpoint inspection policy depends.

Attack Vector

Exploitation requires network access and high attack complexity, with no privileges or user interaction required. An attacker must position themselves to interact with the client's local endpoints or induce the browser to communicate with a controlled endpoint. Once the origin check is bypassed, the attacker submits falsified posture attestations. The BIG-IP APM policy engine then grants VPN access based on incorrect trust in the client response. Impact includes loss of confidentiality and integrity for protected resources, while availability is not directly affected.

No public proof-of-concept code is available for this vulnerability. Refer to the F5 Knowledge Base Article K000138744 for vendor-specific technical details.

Detection Methods for CVE-2024-28883

Indicators of Compromise

  • VPN sessions established from endpoints that fail organizational posture requirements yet appear compliant in BIG-IP APM logs.
  • Unexpected local process interactions with the BIG-IP APM network access client binary on Windows, macOS, or Linux hosts.
  • Anomalous browser-to-localhost communications on ports used by the BIG-IP APM browser plugin outside standard connection flows.

Detection Strategies

  • Correlate BIG-IP APM access logs with independent endpoint telemetry to identify sessions where reported posture disagrees with actual host state.
  • Monitor for VPN logins originating from geographies, devices, or user agents inconsistent with previously observed baselines for each user.
  • Alert on repeated endpoint inspection successes from hosts that historically failed the same checks, which may indicate manipulated responses.

Monitoring Recommendations

  • Forward BIG-IP APM audit and access logs to a central SIEM or data lake for cross-correlation with endpoint posture data.
  • Track version and patch state of the BIG-IP APM browser network access VPN client across the fleet to identify unpatched systems.
  • Review authentication and session establishment events for anomalies in client fingerprint, TLS attributes, or session timing.

How to Mitigate CVE-2024-28883

Immediate Actions Required

  • Apply the fixed versions of the BIG-IP APM browser network access VPN client as listed in F5 advisory K000138744 to all Windows, macOS, and Linux endpoints.
  • Inventory all endpoints running the affected client and prioritize remote-access users and privileged accounts for updates.
  • Review recent VPN access logs for sessions that may have bypassed endpoint inspection prior to remediation.

Patch Information

F5 has published fixed software versions and remediation guidance in the F5 Knowledge Base Article K000138744. Software versions that have reached End of Technical Support (EoTS) are not evaluated and require an upgrade to a supported branch. Administrators should consult the advisory for the specific fixed versions matching their deployed BIG-IP APM release.

Workarounds

  • Enforce additional access controls at the BIG-IP APM policy layer, such as certificate-based device authentication or multi-factor authentication, to reduce reliance on client-side posture attestation alone.
  • Restrict VPN access to managed devices identified by independent inventory or MDM controls until the client is updated.
  • Increase logging verbosity for BIG-IP APM access sessions and monitor for anomalies while patching is in progress.
bash
# Configuration example: verify installed BIG-IP APM client version on endpoints
# Windows (PowerShell)
Get-ItemProperty "HKLM:\SOFTWARE\F5 Networks\*" | Select-Object DisplayName, DisplayVersion

# macOS
pkgutil --pkg-info com.f5.EPI

# Linux
dpkg -l | grep -i f5
# or
rpm -qa | grep -i f5

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.