● Critical · CVSS 9.8 ⚠ ACTIVELY EXPLOITED — CISA KEV

How to Fix CVE-2022-1388: F5 BIG-IP iControl REST Unauthenticated Command Execution

*By Sai Kiran Pandrala*

⚡ At a glance


Severity	CVSS 9.8 — Critical
Actively exploited?	Yes, listed in CISA KEV. Botnet-scale exploitation within days of disclosure.
Affected	F5 BIG-IP 16.1.x before 16.1.2.2, 15.1.x before 15.1.5.1, 14.1.x before 14.1.4.6, 13.1.x before 13.1.5
Fixed in	BIG-IP 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 (and later) per F5 K23605346
Type (CWE)	Authentication Bypass

⚠️ Patch immediately. Public exploit code dropped within hours. Mass-exploitation by botnet operators happened within the first week. Internet-exposed BIG-IPs running affected builds at any time post-May 2022 should be assumed compromised.

What is CVE-2022-1388?

The iControl REST API on BIG-IP has an authentication bypass vulnerability that lets an unauthenticated remote attacker execute arbitrary commands as root on the BIG-IP system. The trigger is a specifically crafted HTTP request to the iControl REST endpoint.

BIG-IP sits at the perimeter terminating SSL VPN, load-balancing application traffic, and often serving as the SSL terminator for backend applications. Root on a BIG-IP gives the attacker every TLS private key the device holds, captured traffic, backend service credentials, and a clean pivot into the protected network.

Am I affected?

You are affected if you run F5 BIG-IP at any of:

16.1.x: below 16.1.2.2
15.1.x: below 15.1.5.1
14.1.x: below 14.1.4.6
13.1.x: below 13.1.5

Check your TMOS version:


tmsh show /sys version

How to fix CVE-2022-1388

Open F5 K-article K23605346 linked below.
Download the patched TMOS build from F5 Downloads.
For HA pairs, upgrade standby first, fail over, upgrade primary.
Apply the upgrade via GUI or CLI per F5's documented procedure.
Verify: tmsh show /sys version.

IoC hunt

Review iControl REST access logs for unauthenticated requests during the unpatched period.
Check for unfamiliar admin accounts (tmsh list /auth user).
Audit the file system for unexpected scripts in /var/tmp/, /shared/tmp/, and similar locations.
Rotate every credential the BIG-IP holds.

Upgrade big-ip / f5 to the patched release


# Confirm the running version
tmsh show sys version

# Download the patched image from the F5 advisory: https://support.f5.com/csp/article/K23605346
tmsh save sys ucs /var/local/ucs/pre-patch.ucs
tmsh install sys software image BIGIP-<patched-version>.iso volume HD1.2
tmsh modify sys software volume HD1.2 active
reboot

# Post-reboot
tmsh show sys version

Verify the fix landed


# 1. Confirm the running version matches the fixed-in version from the advisory:
#    https://support.f5.com/csp/article/K23605346
#    Use the platform-specific version probe above.

# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
#    The scanner should no longer flag CVE-2022-1388 on the patched target.

# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"

If you can't patch immediately

F5 documented three interim mitigations in K23605346:

Block iControl REST access through self IPs:


   tmsh modify /sys global-settings mgmt-dhcp disabled
   tmsh modify /net self-allow defaults delete { tcp:443 tcp:8443 }

Block iControl REST access through the management interface via firewall ACL.
Apply the iRule shown in the K-article to block the specific exploit pattern.

These reduce exposure. The patch is the only full fix.

How to verify the fix worked

tmsh show /sys version shows the patched build.
Run a vulnerability scan — CVE-2022-1388 detection should clear.
The IoC hunt should come back clean (or be remediated).

Frequently asked questions

Is CVE-2022-1388 actively exploited?

Yes. CVE-2022-1388 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2022-1388?

Critical. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://my.f5.com/manage/s/article/K23605346

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

Official F5 K-article K23605346: https://my.f5.com/manage/s/article/K23605346
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-1388
CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from F5 K23605346, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against F5's K-article before applying changes in production.*

Other vulnerabilities in the same area that are worth patching alongside this one:

How to Fix CVE-2022-30333: Path Traversal in RARLAB UnRAR , Path Traversal in RARLAB UnRAR
How to Fix CVE-2022-30525: Command Injection in USG FLEX 100(W) firmware , Command Injection in USG FLEX 100(W) firmware
How to Fix CVE-2022-23227: Security Vulnerability in NUUO NVRmini2 through , Security Vulnerability in NUUO NVRmini2 through
How to Fix CVE-2022-26871: Remote Code Execution in Trend Micro Apex Central , Remote Code Execution in Trend Micro Apex Central
How to Fix CVE-2022-3236: Critical Vulnerability in Sophos Firewall , Critical Vulnerability in Sophos Firewall