CVE DATABASE / CVE-2022-1388
CVE-2022-1388
F5 BIG-IP Missing Authentication Vulnerability
Confirmed exploited in the wild. Added 2022-05-10.
Federal remediation due 2022-05-31.
Required action: Apply updates per vendor instructions.
Summary
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVSS 3.1 breakdown
| Base score | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- http://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167118/F5-BIG-IP-16.0.x-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167150/F5-BIG-IP-iControl-Remote-Code-Execution.html
- https://support.f5.com/csp/article/K23605346
- https://www.secpod.com/blog/critical-f5-big-ip-remote-code-execution-vulnerability-patch-now/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-1388
Data: NIST NVD + CISA KEV. NVD last modified 2025-10-27. Always verify against the vendor advisory before acting.