Blog Viewer

Manual Mitigation for CVE-2021-22986

By Patrick Mccrudden(csp) posted 03-24-2021 09:51


A recent vulnerability found in F5 BIG IP, assigned CVE-2021-22986. The vulnerability allows unauthenticated remote attackers to execute arbitrary code on vulnerable BIG-IP devices.


Vulnerability Description:
On March 10th F5 published a security advisory with 21 CVEs. The most critical one (CVE-2021-22986) can be exploited for unauthenticated remote code execution attacks. In the past week, several security researchers have reverse engineered the Java software patch published by BIG-IP and posted tweets and blogs with detailed POCs.  We observed multiple exploitation attempts against our customers in the last 4 days.


Cloud WAF customers and On-Prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.


Below are manual mitigation steps to address F5 BIG IP Exploitation (for On-Prem customers):


  1. Create a new manual dictionary or use an existing one
  2. Create a new signatures (inside the dictionary from the previous step) with the following definition:


  • Signature name:CVE-2021-22986: F5 BIG-IP iControl RCE - 1
  • Signature pattern:part="/mgmt/tm/util/bash", part="command", part="utilCmdArgs"
  • Protocols:
  • Search Signature in:

Urls And Parameters


      3. Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it