Security News > 2022 > November > F5 fixes two remote code execution flaws in BIG-IP, BIG-IQ
F5 has released hotfixes for its BIG-IP and BIG-IQ products, addressing two high-severity flaws allowing attackers to perform unauthenticated remote code execution on vulnerable endpoints.
While these flaws require specific criteria to exist, making them very difficult to exploit, F5 warns that it could lead to a complete compromise of the devices.
The vulnerabilities were discovered by researchers at Rapid7 in July 2022 and reported to F5 in August 2022.
Yesterday, Rapid7 published a detailed report on the flaws disclosing the technical details of the vulnerabilities.
F5 is unaware of any exploitation incidents involving either vulnerabilities disclosed by Rapid7.
Apart from the two high-severity flaws, Rapid7 also discovered several security control bypass methods, but these will not be fixed as the vendor didn't consider them practically exploitable.
News URL
Related news
- Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications (source)
- CISA Warns of Threat Actors Exploiting F5 BIG-IP Cookies for Network Reconnaissance (source)
- CISA: Hackers abuse F5 BIG-IP cookies to map internal servers (source)
- OvrC Platform Vulnerabilities Expose IoT Devices to Remote Attacks and Code Execution (source)