CVE-2024-31156 Overview
A stored cross-site scripting (XSS) vulnerability exists in an undisclosed page of the F5 BIG-IP Configuration utility that allows an attacker to run JavaScript in the context of the currently logged-in user. This vulnerability affects multiple BIG-IP product modules and could enable attackers to steal session credentials, perform unauthorized actions, or compromise administrative access to critical network infrastructure.
Critical Impact
Authenticated attackers can inject persistent malicious scripts into the BIG-IP Configuration utility, potentially compromising administrative sessions and enabling full control over affected BIG-IP appliances.
Affected Products
- F5 BIG-IP Access Policy Manager
- F5 BIG-IP Advanced Firewall Manager
- F5 BIG-IP Advanced Web Application Firewall
- F5 BIG-IP Analytics
- F5 BIG-IP Application Acceleration Manager
- F5 BIG-IP Application Security Manager
- F5 BIG-IP Application Visibility and Reporting
- F5 BIG-IP Automation Toolchain
- F5 BIG-IP Carrier-Grade NAT
- F5 BIG-IP Container Ingress Services
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP Domain Name System
- F5 BIG-IP Edge Gateway
- F5 BIG-IP Fraud Protection Service
- F5 BIG-IP Global Traffic Manager
- F5 BIG-IP Link Controller
- F5 BIG-IP Local Traffic Manager
- F5 BIG-IP Policy Enforcement Manager
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP WebAccelerator
- F5 BIG-IP WebSafe
Discovery Timeline
- May 8, 2024 - CVE-2024-31156 published to NVD
- October 21, 2025 - Last updated in NVD database
Technical Details for CVE-2024-31156
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) exists within the BIG-IP Configuration utility web interface. Unlike reflected XSS attacks that require victim interaction with a malicious link, stored XSS persists within the application's data storage. When other users—particularly administrators—access the affected page, the malicious JavaScript executes automatically in their browser context.
The vulnerability requires low-privilege authenticated access to exploit but can have devastating consequences when triggered by higher-privileged users. An attacker who successfully exploits this vulnerability could hijack administrative sessions, modify BIG-IP configurations, create backdoor accounts, or exfiltrate sensitive network configuration data.
F5 has not disclosed the specific page or input field affected, which is common practice to prevent immediate exploitation while organizations apply patches. Software versions that have reached End of Technical Support (EoTS) are not evaluated for this vulnerability.
Root Cause
The root cause is improper input validation and output encoding in the BIG-IP Configuration utility web interface. User-supplied input is stored in the application without adequate sanitization and is subsequently rendered in web pages without proper output encoding, allowing injected JavaScript to execute in victims' browsers.
Attack Vector
The attack vector is network-based and requires authentication with low privileges. An attacker must first gain authenticated access to the BIG-IP Configuration utility, then inject malicious JavaScript payload into a vulnerable input field. The payload is stored server-side and executes whenever any user views the affected page.
The attack flow typically follows these steps:
- Attacker authenticates to the BIG-IP Configuration utility with valid credentials
- Attacker navigates to the vulnerable page and submits input containing malicious JavaScript
- The payload is stored in the application's data store
- When a victim (typically an administrator) views the page, the malicious script executes
- The script can steal session tokens, perform actions as the victim, or modify configurations
Since the XSS payload persists, it can affect multiple users over time without requiring the attacker to maintain active engagement with the target.
Detection Methods for CVE-2024-31156
Indicators of Compromise
- Unusual JavaScript code or HTML tags appearing in BIG-IP Configuration utility database fields or logs
- Unexpected session activity from administrative accounts, particularly from different IP addresses
- Creation of unauthorized user accounts or modification of existing account privileges
- Unusual configuration changes to BIG-IP services without corresponding change management records
- Browser-based alerts or errors when administrators access configuration pages
Detection Strategies
- Review BIG-IP Configuration utility access logs for suspicious input patterns containing <script>, javascript:, event handlers, or encoded variants
- Monitor for unexpected administrative actions that do not correlate with known administrator activity windows
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Audit user account creation and privilege modification events in BIG-IP systems
- Deploy web application firewall rules to detect common XSS payload patterns in requests to the Configuration utility
Monitoring Recommendations
- Enable comprehensive audit logging for all BIG-IP Configuration utility access and modifications
- Configure SIEM alerts for patterns indicative of XSS attacks or session hijacking
- Monitor network traffic from BIG-IP management interfaces for unusual outbound connections that could indicate data exfiltration
- Implement real-time alerting for administrative account changes and critical configuration modifications
How to Mitigate CVE-2024-31156
Immediate Actions Required
- Apply the security patches provided by F5 as documented in F5 Security Advisory K000138636
- Restrict access to the BIG-IP Configuration utility to trusted networks and IP addresses only
- Review existing user accounts with access to the Configuration utility and remove unnecessary privileges
- Audit recent changes to BIG-IP configurations for any unauthorized modifications
- Consider enabling two-factor authentication for administrative access where supported
Patch Information
F5 has released patches addressing this vulnerability. Organizations should consult the F5 Security Advisory K000138636 for specific version information and upgrade paths. Software versions that have reached End of Technical Support (EoTS) are not evaluated and should be upgraded to supported versions.
Workarounds
- Restrict network access to the BIG-IP Configuration utility management interface using firewall rules or network segmentation
- Implement strict network ACLs to allow Configuration utility access only from trusted management networks
- Deploy a web application firewall in front of the Configuration utility to filter potential XSS payloads
- Limit the number of users with access to the Configuration utility and enforce principle of least privilege
- Use separate browser profiles or dedicated management workstations for BIG-IP administration to limit the impact of potential session compromise
# Example: Restrict Configuration utility access to management network
# Add to BIG-IP Self IP configuration for management interface
# Replace 10.0.0.0/24 with your trusted management network
tmsh modify sys httpd allow replace-all-with { 10.0.0.0/24 }
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
