The Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability affecting F5’s BIG-IP product to its list of known exploited vulnerabilities on Tuesday following reports earlier in the week that it was being actively exploited.
CISA urged F5 customers last week to patch the vulnerability, which carries a CVSS score of 9.8 and could allow an attacker “to take control of an affected system.”
Over the weekend, several researchers published proof-of-use code and by Monday, beeping computer and Ars-Technica confirmed reports that hackers had started exploiting the vulnerability – which is labeled as CVE-2022-1388.
Cronup security researcher Germán Fernández said he was seeing “massive” exploitation of the bug, with hackers installing WebShells “like a backdoor to maintain access” even after the vulnerability was patched.
Fernández later said he had seen over 300 F5 devices compromised via CVE-2022-1388.
Cybersecurity expert Kevin Beaumont also confirmed that the bug is exploited in the wild. “One thing to note – the exploit attempts I’ve seen so far not on the management interface. If you configured the F5 box as a load balancer and firewall via an address Personal IP, it is also vulnerable, which can get messy,” he added.
He later said the devices were being wiped because of the vulnerability.
F5 posted a review about the bug last week and said it could allow an attacker with access through the BIG-IP system management port to run arbitrary system commands, create or delete files, or disable services .
BIG-IP products, which include software and hardware, are widely used by enterprises to help keep their applications operational. The bug revolves around the iControl REST componentwhich helps manage the interaction “between the user or script and the F5 device,” according to the company.
F5 says BIG-IP versions 16.1.0 to 16.1.2, 15.1.0 to 15.1.5, 14.1.0 to 14.1.4, 13.1.0 to 13.1.4, 12.1.0 to 12.1.6 and 11.6.1 to 11.6.5 are affected.
F5 has released patches for every version except 12.1.0 through 12.1.6 and 11.6.1 through 11.6.5. He urged those using these builds to upgrade to a version with the fix.
CISA gave the bug a fix date of May 30, but a research on Shodan revealed over 2,500 instances on display around the world. Some Experts argued that a number of them could be “honeypots” from researchers studying hackers trying to exploit the vulnerability.
CISA also added five more bugs to the catalog last week, fixing several bugs in Apple, Microsoft, and OpenSSL products.