What is F5 BIG-IP?
F5 BIG-IP is a family of enterprise application delivery controllers (ADC) and security appliances used by Fortune 500 companies, financial institutions, and government agencies to load-balance web applications, provide SSL offloading, and deliver application-layer security. BIG-IP acts as the reverse proxy gateway for all web traffic to an organization's applications — sitting at the edge of enterprise networks and handling authentication, WAF, DDoS protection, and global server load balancing. BIG-IQ Centralized Management provides a unified management plane for fleets of BIG-IP devices. Because BIG-IP is the front door to critical applications, RCE on BIG-IP gives an attacker complete visibility into and control over all application traffic passing through the device.
Overview
CVE-2021-22986 is an unauthenticated remote code execution vulnerability in the iControl REST API interface of F5 BIG-IP and BIG-IQ Centralized Management. The iControl REST API is accessible on the BIG-IP management interface and, in some configurations, on the data plane. An unauthenticated attacker with network access to the iControl REST API can send a specially crafted HTTP request to execute arbitrary system commands, create or delete files, and disable services — with no credentials required. Mass exploitation began within hours of public proof-of-concept publication in March 2021. This was one of the most rapidly weaponized enterprise vulnerabilities of 2021, with cryptominer and ransomware deployments documented within 24 hours of PoC release.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| BIG-IP 16.0.x before 16.0.1.1 | Yes | 16.0.1.1 |
| BIG-IP 15.1.x before 15.1.2.1 | Yes | 15.1.2.1 |
| BIG-IP 14.1.x before 14.1.4 | Yes | 14.1.4 |
| BIG-IP 13.1.x before 13.1.3.6 | Yes | 13.1.3.6 |
| BIG-IP 12.1.x before 12.1.5.3 | Yes | 12.1.5.3 |
| BIG-IQ 7.1.0 before 7.1.0.3 | Yes | 7.1.0.3 |
| BIG-IQ 7.0.0 before 7.0.0.2 | Yes | 7.0.0.2 |
Technical Details
The iControl REST API provides programmatic management access to BIG-IP systems. The authentication mechanism for this API contains a flaw:
- Root cause: The iControl REST API (CWE-918, SSRF/authentication bypass) improperly validates incoming requests, allowing unauthenticated callers to issue management API commands that should require administrator credentials
- Command execution: API endpoints that execute system commands (bash, tmsh) are accessible without authentication, allowing arbitrary OS command execution on the BIG-IP TMOS operating system
- Attack surface: The iControl REST API runs on the management interface (port 443) and optionally on data plane self-IPs — organizations that expose the management interface to the internet are immediately exploitable
- Execution context: Commands execute as root on BIG-IP TMOS, giving complete control of the appliance including traffic handling rules, SSL certificates, and WAF policies
- Companion vulnerabilities: CVE-2021-22986 was disclosed alongside CVE-2021-22987 (authenticated RCE via TMUI) and CVE-2021-22991 (TMM buffer overflow) — all patched in the same F5 advisory
Discovery
Reported to F5 by external security researchers. F5 released patches on March 10, 2021, and proof-of-concept exploit code was published approximately one week later, triggering immediate mass exploitation.
Exploitation Context
CVE-2021-22986 became one of the most heavily exploited vulnerabilities in the months after disclosure. Rapid7 documented mass scanning and exploitation within hours of PoC publication. Cryptominers were deployed within 24 hours; ransomware deployments followed. The vulnerability particularly affects organizations that expose BIG-IP management interfaces to the internet — a configuration that F5 explicitly warns against but that is common in practice. Thousands of BIG-IP systems are internet-accessible, as confirmed by Shodan and Censys scans. Nation-state actors also exploited CVE-2021-22986 for espionage purposes.
Remediation
- Apply F5 patches per Security Advisory K02566623 — update to fixed versions listed above
- Immediately restrict access to the iControl REST API — the BIG-IP management interface should never be accessible from the internet
- Apply F5's recommended management interface access controls: restrict to a dedicated out-of-band management network accessible only to administrators
- If immediate patching is not possible: block all external access to the management interface (port 443 on the management IP) via upstream firewall rules
- Review BIG-IP iControl REST audit logs for unauthorized API calls, particularly commands involving bash execution or file operations
- Check for unauthorized changes to BIG-IP configuration, virtual server policies, iRules, and SSL certificates
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-22986 |
| Vendor / Product | F5 — BIG-IP and BIG-IQ Centralized Management |
| NVD Published | 2021-03-31 |
| NVD Last Modified | 2025-10-27 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-918 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-03-10 | F5 releases patches for CVE-2021-22986 and companion BIG-IP vulnerabilities |
| 2021-03-18 | Public proof-of-concept exploit published; mass exploitation begins within hours |
| 2021-03-31 | CVE published |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| F5 Security Advisory K02566623 — CVE-2021-22986 | Vendor Advisory |
| Rapid7 — Observed Exploitation of F5 BIG-IP Vulnerabilities | Security Research |
| NVD — CVE-2021-22986 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |