{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2022-1388","assignerOrgId":"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab","assignerShortName":"f5","dateUpdated":"2025-10-21T23:15:40.370Z","dateReserved":"2022-04-19T00:00:00.000Z","datePublished":"2022-05-05T16:18:04.472Z"},"containers":{"cna":{"datePublic":"2022-05-04T00:00:00.000Z","providerMetadata":{"orgId":"9dacffd4-cb11-413f-8451-fbbfd4ddc0ab","shortName":"f5","dateUpdated":"2023-10-18T00:25:05.758Z"},"descriptions":[{"lang":"en","value":"On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated"}],"affected":[{"vendor":"F5","product":"BIG-IP","versions":[{"version":"17.0.0","status":"unaffected","lessThan":"17.0.x*","versionType":"custom"},{"version":"16.1.x","status":"affected","lessThan":"16.1.2.2","versionType":"custom"},{"version":"15.1.x","status":"affected","lessThan":"15.1.5.1","versionType":"custom"},{"version":"14.1.x","status":"affected","lessThan":"14.1.4.6","versionType":"custom"},{"version":"13.1.x","status":"affected","lessThan":"13.1.5","versionType":"custom"},{"version":"12.1.x","status":"affected","lessThanOrEqual":"12.1.6","versionType":"custom"},{"version":"11.6.x","status":"affected","lessThanOrEqual":"11.6.5","versionType":"custom"}]}],"references":[{"url":"https://support.f5.com/csp/article/K23605346"},{"url":"http://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.html"},{"url":"http://packetstormsecurity.com/files/167118/F5-BIG-IP-16.0.x-Remote-Code-Execution.html"},{"url":"http://packetstormsecurity.com/files/167150/F5-BIG-IP-iControl-Remote-Code-Execution.html"},{"url":"https://www.secpod.com/blog/critical-f5-big-ip-remote-code-execution-vulnerability-patch-now/"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-306 Missing Authentication for Critical Function","cweId":"CWE-306"}]}],"x_generator":{"engine":"Vulnogram 0.0.9"},"source":{"discovery":"INTERNAL"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T00:03:06.011Z"},"title":"CVE Program Container","references":[{"url":"https://support.f5.com/csp/article/K23605346","tags":["x_transferred"]},{"url":"http://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.html","tags":["x_transferred"]},{"url":"http://packetstormsecurity.com/files/167118/F5-BIG-IP-16.0.x-Remote-Code-Execution.html","tags":["x_transferred"]},{"url":"http://packetstormsecurity.com/files/167150/F5-BIG-IP-iControl-Remote-Code-Execution.html","tags":["x_transferred"]},{"url":"https://www.secpod.com/blog/critical-f5-big-ip-remote-code-execution-vulnerability-patch-now/","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2022-1388","role":"CISA Coordinator","options":[{"Exploitation":"active"},{"Automatable":"yes"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-01-29T20:27:21.338441Z"}}},{"other":{"type":"kev","content":{"dateAdded":"2022-05-10","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-1388"}}}],"references":[{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-1388","tags":["government-resource"]}],"timeline":[{"time":"2022-05-10T00:00:00.000Z","lang":"en","value":"CVE-2022-1388 added to CISA KEV"}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-21T23:15:40.370Z"}}]}}