CVE-2021-22986
critical-risk
Published 2021-03-31
On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.
Do I need to act?
!
94.5% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (15)
Affected Vendors
References (7)
Vendor Advisory
https://support.f5.com/csp/article/K03009991
Vendor Advisory
https://support.f5.com/csp/article/K03009991
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-...
Get this data via API
curl -H "Authorization: Bearer YOUR_KEY" \
https://cyber.phasetransitions.ai/api/v1/cves/CVE-2021-22986
Free tier: 100 requests/day, no credit card.
77
/ 100
critical-risk
Severity
32/34 · Critical
Exploitability
27/34 · High
Exposure
18/34 · Moderate