CVE-2021-22986

Q: What is the severity of CVE-2021-22986?

CVE-2021-22986 has a CVSS score of 9.8 (CRITICAL). CVE-2021-22986 is an unauthenticated remote command execution vulnerability in the iControl REST interface of F5 BIG-IP and BIG-IQ devices. Attackers can exploit this to execute arbitrary commands on affected systems without authentication. This affects multiple versions of BIG-IP (12.1.x-16.0.x) and BIG-IQ (7.0.0.x-7.1.0.x) that haven't been patched.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

CVE-2021-22986 is an unauthenticated remote command execution vulnerability in the iControl REST interface of F5 BIG-IP and BIG-IQ devices. Attackers can exploit this to execute arbitrary commands on affected systems without authentication. This affects multiple versions of BIG-IP (12.1.x-16.0.x) and BIG-IQ (7.0.0.x-7.1.0.x) that haven't been patched.

💻 Affected Systems

Products:

F5 BIG-IP
F5 BIG-IQ

Versions: BIG-IP: 12.1.x before 12.1.5.3, 13.1.x before 13.1.3.6, 14.1.x before 14.1.4, 15.1.x before 15.1.2.1, 16.0.x before 16.0.1.1; BIG-IQ: 7.0.0.x before 7.0.0.2, 7.1.0.x before 7.1.0.3

Operating Systems: F5 TMOS

Default Config Vulnerable: ⚠️ Yes

Notes: End of Software Development (EoSD) versions are not evaluated but may be vulnerable. The iControl REST interface must be accessible.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to gain root access, steal sensitive data, deploy ransomware, pivot to internal networks, and maintain persistent access.

🟠

Likely Case

Remote code execution leading to data exfiltration, installation of backdoors, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, access controls, and monitoring are in place, though exploitation attempts may still cause service disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts and proof-of-concepts are available. The vulnerability is actively exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BIG-IP: 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1; BIG-IQ: 7.0.0.2, 7.1.0.3

Vendor Advisory: https://support.f5.com/csp/article/K03009991

Restart Required: Yes

Instructions:

1. Download appropriate hotfix from F5 Downloads. 2. Upload to BIG-IP/BIG-IQ. 3. Install using WebUI or CLI. 4. Reboot system as required.

🔧 Temporary Workarounds

Block iControl REST Access

all

Restrict access to iControl REST interface using network controls

Configure firewall rules to block external access to iControl REST ports (typically 443)

Disable iControl REST

linux

Temporarily disable the vulnerable service if not required

tmsh modify /sys httpd service disable

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected devices
Deploy intrusion detection/prevention systems with signatures for this CVE

🔍 How to Verify

Check if Vulnerable:

Check version using 'tmsh show sys version' and compare against affected versions

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify version is patched using 'tmsh show sys version' and ensure it matches fixed versions

📡 Detection & Monitoring

Log Indicators:

Unusual iControl REST requests
Unexpected command execution logs
Authentication bypass attempts

Network Indicators:

Suspicious traffic to iControl REST endpoints
Unexpected outbound connections from BIG-IP/BIG-IQ

SIEM Query:

source="bigip_logs" AND ("iControl" OR "REST" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2021-22986

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-918

Published: March 31, 2021

Last Updated: October 27, 2025

🔗 References

http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/162066/F5-BIG-IP-16.0.x-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://support.f5.com/csp/article/K03009991 Vendor Advisory
http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/162066/F5-BIG-IP-16.0.x-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://support.f5.com/csp/article/K03009991 Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22986 US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Advanced Web Application Firewall by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Ddos Hybrid Defender by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Iq Centralized Management by F5

Big Iq Centralized Management by F5

Big Iq Centralized Management by F5

Ssl Orchestrator by F5

Ssl Orchestrator by F5

Ssl Orchestrator by F5

Ssl Orchestrator by F5

Ssl Orchestrator by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated