Security News > 2022 > May > CISA tells federal agencies to fix actively exploited F5 BIG-IP bug

CISA tells federal agencies to fix actively exploited F5 BIG-IP bug
2022-05-11 14:35

The U.S. Cybersecurity and Infrastructure Security Agency has added a new security vulnerability to its list of actively exploited bugs, the critical severity CVE-2022-1388 affecting BIG-IP network devices.

After info F5 BIG-IP exploits used in attacks to brick devices surfaced, CISA added the flaw to the Known Exploited Vulnerabilities Catalog.

According to the BOD 22-01 binding operational directive issued in November, all Federal Civilian Executive Branch Agencies agencies must secure their systems against attacks that would abuse security flaws added to CISA's KEV catalog.

On Tuesday, the U.S. cybersecurity agency has given the agencies three weeks, until May 31st, to patch the actively exploited CVE-2022-1388 vulnerability to block any ongoing and, potentially, destructive exploitation attempts.

Although the directive only applies to U.S. federal agencies, CISA also strongly urges all organizations to fix this bug to hinder attacks.

Since BOD 22-01 was issued, CISA has added hundreds of security bugs to its list of vulnerabilities actively exploited in attacks, ordering U.S. federal agencies to patch to prevent breaches.


News URL

https://www.bleepingcomputer.com/news/security/cisa-tells-federal-agencies-to-fix-actively-exploited-f5-big-ip-bug/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-05-05 CVE-2022-1388 Missing Authentication for Critical Function vulnerability in F5 products
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication.
network
low complexity
f5 CWE-306
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
F5 210 52 501 206 41 800