Security News

F5 announced enhancements to its application security portfolio. "To help today's customers succeed, security must be native to applications and APIs, continuous, applied in real time, and powered by data and AI.".

F5 announced the appointment of two senior executives as the company bolsters its focus on customer success, business transformation, and cybersecurity. Yvette Smith joins the company today as Senior Vice President of Customer Success and Business Transformation, where she will lead a newly formed group combining both functions and multiple other teams into a single organization committed to delighting customers.

The urgency to patch gaping security holes in F5 Networks BIG-IP and BIG-IQ products escalated over the weekend after researchers spotted malicious in-the-wild attack activity. Malware hunters at U.K.-based NCC Group are raising the alarm for mass scanning and "Multiple exploitation attempts" with exploits targeting critical security flaws in the F5 enterprise networking infrastructure products.

Almost 10 days after application security company F5 Networks released patches for critical vulnerabilities in its BIG-IP and BIG-IQ products, adversaries have begun opportunistically mass scanning and targeting exposed and unpatched networking devices to break into enterprise networks. News of in the wild exploitation comes on the heels of a proof-of-concept exploit code that surfaced online earlier this week by reverse-engineering the Java software patch in BIG-IP. The mass scans are said to have spiked since March 18.

Attackers are exploiting a recently-patched, critical vulnerability in F5 devices that have not yet been updated. The unauthenticated remote command execution flaw exists in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure, and could allow attackers to take full control over a vulnerable system.

On Thursday, cybersecurity firm NCC Group said that it detected successful in the wild exploitation of a recently patched critical vulnerability in F5 BIG-IP and BIG-IQ networking devices. The security vulnerability these attackers attempt to exploit is an unauthenticated remote command execution tracked as CVE-2021-22986, and it affects most F5 BIG-IP and BIG-IQ software versions.

F5 Networks is warning users to patch four critical remote command execution flaws in its BIG-IP and BIG-IQ enterprise networking infrastructure. The company released an advisory, Wednesday, on seven bugs in total, with two others rated as high risk and one rated as medium risk, respectively.

To kick off, there's CVE-2021-22987, which scores a 9.9 on the ten-point CVSS scale of severity as it "Allows authenticated users with network access to the Configuration utility, through the BIG-IP management port, or self IP addresses, to execute arbitrary system commands, create or delete files, or disable services." Administrators are advised the flaw allows "Complete system compromise and breakout of Appliance mode." Note that this can only be exploited via the control plane, and it does require an attacker to have a valid login - so a rogue insider or someone using stolen credentials, perhaps. At a mere 9.8 rating, CVE-2021-22986 "Allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services." Complete system compromise is again a possible consequence.

Application security company F5 Networks on Wednesday published an advisory warning of four critical vulnerabilities impacting multiple products that could result in a denial of service attack and even unauthenticated remote code execution on target networks. The four critical flaws affect BIG-IP versions 11.6 or 12.x and newer, with a critical pre-auth remote code execution also affecting BIG-IQ versions 6.x and 7.x. F5 said it's not aware of any public exploitation of these issues.

Application services and network delivery firm F5 on Wednesday announced the release of patches for seven related vulnerabilities in BIG-IP, including four with a "Critical" severity rating. On March 10, F5 announced the release of fixes for multiple vulnerabilities in BIG-IP, some of which also impact BIG-IQ, a framework designed to help with the management of BIG-IP devices and application services.