CVE-2024-22093

Q: What is the severity of CVE-2024-22093?

CVE-2024-22093 has a CVSS score of 8.7 (HIGH). An authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint on F5 multi-bladed systems running in appliance mode. This allows attackers to execute arbitrary commands and potentially cross security boundaries. Only affects F5 multi-bladed systems with specific configurations.

8.7 HIGH

Remote Code Execution

📋 TL;DR

An authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint on F5 multi-bladed systems running in appliance mode. This allows attackers to execute arbitrary commands and potentially cross security boundaries. Only affects F5 multi-bladed systems with specific configurations.

💻 Affected Systems

Products:

F5 BIG-IP multi-bladed systems

Versions: Specific versions not disclosed in public advisory

Operating Systems: F5 TMOS

Default Config Vulnerable: ✅ No

Notes: Only affects systems running in appliance mode with multi-blade configuration. Software versions at End of Technical Support (EoTS) are not evaluated.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary commands with elevated privileges, potentially gaining control over the entire appliance and connected systems.

🟠

Likely Case

Unauthorized command execution leading to data exfiltration, lateral movement within the network, or service disruption.

🟢

If Mitigated

Limited impact due to authentication requirements and specific configuration needed, but still represents significant risk if exploited.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authentication and specific knowledge of the undisclosed endpoint. Multi-blade configuration requirement adds complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to F5 advisory K000137522 for specific fixed versions

Vendor Advisory: https://my.f5.com/manage/s/article/K000137522

Restart Required: Yes

Instructions:

1. Review F5 advisory K000137522. 2. Identify affected version. 3. Upgrade to fixed version per vendor guidance. 4. Restart affected services.

🔧 Temporary Workarounds

Restrict iControl REST Access

all

Limit access to iControl REST endpoints to trusted IP addresses only

Configure network ACLs to restrict access to iControl REST ports (typically 443)

Disable Appliance Mode if Not Required

all

If appliance mode is not needed for your deployment, disable it

Consult F5 documentation for disabling appliance mode specific to your configuration

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems
Enforce strong authentication and monitor for suspicious iControl REST access patterns

🔍 How to Verify

Check if Vulnerable:

Check if system is multi-bladed and running in appliance mode. Review F5 advisory for specific version checks.

Check Version:

tmsh show sys version

Verify Fix Applied:

Verify system is running a version listed as fixed in F5 advisory K000137522

📡 Detection & Monitoring

Log Indicators:

Unusual iControl REST endpoint access patterns
Authentication attempts followed by command execution patterns
System logs showing unexpected process execution

Network Indicators:

Unusual traffic to iControl REST endpoints from unexpected sources
Command and control traffic originating from F5 systems

SIEM Query:

source="f5_bigip" AND (event_type="authentication" OR event_type="command_execution") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2024-22093

CVSS v3 Score: 8.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-77

Published: February 14, 2024

Last Updated: September 5, 2025

🔗 References

https://my.f5.com/manage/s/article/K000137522 Vendor Advisory
https://my.f5.com/manage/s/article/K000137522 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Access Policy Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Advanced Firewall Manager by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Analytics by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Acceleration Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Application Security Manager by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Domain Name System by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Fraud Protection Service by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Link Controller by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Ip Policy Enforcement Manager by F5

Big Iq Centralized Management by F5

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict iControl REST Access

Disable Appliance Mode if Not Required

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities