F5 BIG-IP Vulnerability Advisory | May 2022

A popular suite of Multi-Purpose Networking Devices and Modules contains a critical vulnerability. Here's what you need to know.


On May 4, 2022, technology company F5 released patches for a critical remote code execution vulnerability, CVE-2022-1388, affecting its BIG-IP family of products, which include popular load balancer devices and software. The 9.8 CVSS critical vulnerability allows threat actors with network access to take over BIG-IP systems which can allow for them to execute commands, create or delete files or disable services.

Quick facts: what you need to know now

  • The vulnerability has a score of 9.8, meaning it’s critical. And researchers warned they developed an exploit within days of F5’s announcement (meaning active exploitation is soon to be expected).
  • Fixes are available in versions 17.0.0,,,, and 13.1.5. 
  • Firmware versions 11.x and 12.x will not receive security updates and users relying on those versions should consider upgrading to a newer version or apply the workarounds listed below.
  • Although this is a critical vulnerability, it is important to note that the vulnerability only impacts the control plane and does not impact the data plane (the control plane is the part of a network that controls how data is forwarded, while the data plane is the actual forwarding process).

Overview of BIG-IP and How It Works

What is BIG-IP?

F5's BIG-IP is a family of networking products including software and hardware designed around application availability, access control, and security solutions. F5 BIG-IP enables control over network traffic and selects the right destination based on server performance, security, and availability.

One of the main uses of BIG-IP software is as a load balancer. A load balancer is like a ‘traffic controller’ for a server – it directs requests to an available server that is capable of fulfilling the request efficiently. The goal is to reduce the additional load on a particular server and ensure seamless operations and response, giving the end-user a better experience. Load balancers ensure reliability and availability by monitoring the “health” of applications and only sending requests to servers and applications that can respond in a timely manner.

How does BIG-IP work?

F5 BIG-IP devices work in a modular manner - meaning that you can add ‘modules’ to the F5 BIG-IP devices as needed per an organization's requirements. BIG-IP software products are licensed modules that run on top of F5's Traffic Management Operation System. Below are the primary BIG-IP Software modules, all of which are impacted by this critical vulnerability.

  • BIG-IP Local Traffic Manager (LTM) - LTM provides the platform for creating virtual servers, performance, service, protocol, authentication, and security profiles to define and shape application traffic. Most other modules in the BIG-IP family use LTM as a foundation for enhanced services.
  • BIG-IP DNS - Distributes DNS and user application requests based on business policies, data center and network conditions, user location, and application performance.
  • BIG-IP Application Security Manager -  Detects and mitigates bots, secures credentials and sensitive data, and defends against application DoS.
  • BIG-IP Access Policy Manager -  Delivers unified global access to a network, cloud, and applications. 
  • BIG-IP Advanced Firewall Manager - Network firewall designed to guard data centers against incoming threats that enter the network on the most widely deployed protocols.

Next Steps for All F5 BIG-IP Customers:

    1. Determine if your organization is using F5 BIG-IP directly or via a vendor.
    2. If your organization has a vendor that utilizes the F5 BIG-IP suite of networking products, reach out to your vendor contact and confirm they have applied the patches.
    3. If your organization uses F5 BIG-IP software/devices directly, update to the latest version as soon as possible according to the chart in F5’s advisory.
        • Fixes are available in versions 17.0.0,,,, and 13.1.5. 
        • Firmware versions 11.x and 12.x will not receive security updates as they are EOL (end-of-life), and users relying on those versions should upgrade to a newer version and apply the following mitigations until the upgrade is in place:
          • Block iControl REST access through the self IP address
          • Block iControl REST access through the management interface, and
          • Modify the BIG-IP httpd configuration


      If you have any questions, please reach out to the Risk + Response Team at services@corvusinsurance.com!