Login Sign Up

CVE-2022-27806

8.7 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated administrators on F5 BIG-IP systems running in Appliance mode to bypass security restrictions through command injection in Guided Configuration URIs. Attackers can execute arbitrary commands on the system, potentially gaining full control. Affected versions include multiple BIG-IP Advanced WAF, ASM, and Guided Configuration releases.

💻 Affected Systems

Products:
  • F5 BIG-IP Advanced WAF
  • F5 BIG-IP ASM
  • F5 BIG-IP Guided Configuration
Versions: BIG-IP: 16.1.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, 11.6.x; Guided Configuration: all versions prior to 9.0
Operating Systems: F5 TMOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems running in Appliance mode. Requires authenticated attacker with Administrator role.

📦 What is this software?

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Access Policy Manager by F5

View all CVEs affecting Big Ip Access Policy Manager →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Advanced Web Application Firewall by F5

View all CVEs affecting Big Ip Advanced Web Application Firewall →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Application Security Manager by F5

View all CVEs affecting Big Ip Application Security Manager →

Big Ip Guided Configuration by F5

View all CVEs affecting Big Ip Guided Configuration →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, access sensitive data, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Privilege escalation and bypass of Appliance mode security controls, enabling unauthorized configuration changes and potential lateral movement.

🟢

If Mitigated

Limited impact if proper access controls and network segmentation are implemented, restricting attacker movement even after initial compromise.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated administrator access. Specific vulnerable URIs are undisclosed by F5.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BIG-IP: Fixed in 17.0.0 and later; Guided Configuration: Fixed in 9.0 and later

Vendor Advisory: https://support.f5.com/csp/article/K68647001

Restart Required: Yes

Instructions:

1. Upgrade BIG-IP to version 17.0.0 or later. 2. Upgrade Guided Configuration to version 9.0 or later. 3. Apply patches through F5 support if upgrading is not immediately possible. 4. Restart affected services after patching.

🔧 Temporary Workarounds

Restrict Administrator Access

all

Limit the number of users with Administrator role and implement strict access controls.

Network Segmentation

all

Isolate BIG-IP management interfaces from untrusted networks and implement strict firewall rules.

🧯 If You Can't Patch

  • Implement strict access controls and monitor administrator account activity
  • Disable Guided Configuration if not required, or restrict access to its management interface

🔍 How to Verify

Check if Vulnerable:

Check BIG-IP version with 'tmsh show sys version' and Guided Configuration version via management interface. Compare against affected versions.

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify BIG-IP version is 17.0.0+ and Guided Configuration is 9.0+ using version check commands and management interface.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns in system logs
  • Multiple failed authentication attempts followed by successful admin login
  • Unexpected configuration changes to Appliance mode settings

Network Indicators:

  • Unusual outbound connections from BIG-IP management interface
  • Traffic to/from Guided Configuration URIs with suspicious parameters

SIEM Query:

source="bigip_logs" AND (event_type="command_execution" OR user_role="Administrator") AND uri="*guided-config*"

📊 Metadata

CVE ID: CVE-2022-27806
CVSS v3 Score: 8.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-77
Published: May 5, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27806, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)