Talk to an expert

F5 BIG-IP Vulnerabilities

By Lumifi Cyber | March 23, 2021

Twelve days ago, F5 announced several security vulnerabilities that went primarily overshadowed by the Exchange/Hafnium situation.

It's important to understand that some of these are critical, remote command execution-level vulnerabilities that require nothing more than an attacker to connect to an F5 BIG-IP device.

For those devices, being positioned "in front of" web server clusters is standard, so they are often exposed to the Internet on purpose.

There are already indicators that various attackers are scanning for these devices and exploiting them once found. Other security researchers have seen attacks that resulted in the theft of authenticated session tokens, meaning that they could impersonate administrators and control or reconfigure the devices. Some existing malware has already been repurposed to act on these vulnerabilities.


Here are vulnerabilities as listed by F5: https://support.f5.com/csp/article/K02566623

The NCC Group, a team of security researchers, has published this information on the active exploitation they are seeing.

Palo Alto's Unit42 has also published details on the attacks along with Indicators of Compromise (IOCs) they've assembled.


Patches are available for those vulnerabilities and should be applied immediately.  Recognize that you may have mitigating controls in place already, such as limiting access to the iControl REST APIs or UI of the systems to only trusted management networks, or blocking it completely if you are not leveraging that functionality.

Lumifi is actively searching your managed SIEM platform for these indicators, and we have added the known IOCs to this OTX Pulse.

We encourage all of our clients with F5 BIG-IP devices to please reach out to us as soon as possible so that we can better assist you with this situation. If you have any questions, please do not hesitate to contact us.

By Lumifi Cyber
Threat Name
Referenced Articles
Share This

Subscribe for Exclusive Updates

Stay informed with the most recent updates, threat briefs, and useful tools & resources. You have the option to unsubscribe at any time.

Castra is now part of Lumifi

Learn More
Privacy PolicyTerms & ConditionsSitemapSafeHotline
magnifiercrossmenuchevron-down