CVE-2021-23025
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary commands on BIG-IP systems through the Configuration utility. It affects multiple BIG-IP versions, including all versions of 12.1.x and 11.6.x which have reached end of technical support.
💻 Affected Systems
- F5 BIG-IP
📦 What is this software?
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Advanced Web Application Firewall by F5
View all CVEs affecting Big Ip Advanced Web Application Firewall →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Acceleration Manager by F5
View all CVEs affecting Big Ip Application Acceleration Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
Big Ip Application Security Manager by F5
View all CVEs affecting Big Ip Application Security Manager →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative access, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Unauthorized command execution leading to configuration changes, service disruption, or credential theft.
If Mitigated
Limited impact due to network segmentation, strong authentication controls, and minimal user privileges.
🎯 Exploit Status
Exploitation requires valid credentials. Multiple public PoCs exist for similar BIG-IP RCE vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.1.0.5, 14.1.3.1, 13.1.3.5
Vendor Advisory: https://support.f5.com/csp/article/K55543151
Restart Required: Yes
Instructions:
1. Download appropriate patch from F5 Downloads. 2. Backup configuration. 3. Apply patch via tmsh or GUI. 4. Reboot system. 5. Verify patch installation.
🔧 Temporary Workarounds
Restrict Configuration Utility Access
allLimit access to Configuration utility using network ACLs and source IP restrictions
tmsh modify /sys httpd allow replace-all-with { 10.0.0.0/8 192.168.0.0/16 }
Implement Strong Authentication
allEnforce MFA and strong password policies for Configuration utility access
🧯 If You Can't Patch
- Isolate BIG-IP systems behind firewalls with strict network segmentation
- Implement least privilege access controls and monitor all Configuration utility access
🔍 How to Verify
Check if Vulnerable:
Check BIG-IP version via GUI or CLI and compare against affected versions listCheck Version:
tmsh show sys versionVerify Fix Applied:
Verify installed version is 15.1.0.5, 14.1.3.1, or 13.1.3.5 or later📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in /var/log/ltm
- Multiple failed authentication attempts followed by successful login
- Configuration changes from unexpected sources
Network Indicators:
- Unexpected outbound connections from BIG-IP systems
- Traffic to suspicious IPs/domains
SIEM Query:
source="bigip" AND (event_type="command_execution" OR event_type="config_change") AND user!="admin"