F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

§ Context

Assumed environment: target operates F5 BIG-IP load balancers unpatched for CVE-2022-1388. Management interface reachable from the attacker (often inadvertently exposed externally).

§ Steps

1. 01
   Pivot into internal appsInitial Access

   T1078— Valid Accounts
2. 02
   Command injection → root shellExecution

   T1059— Command and Scripting Interpreter
3. 03
   Intercept session cookies + creds on the LBCredential Access

   T1539— Steal Web Session Cookie
4. 04
   Extract TLS keys from /config/Credential Access

   T1552— Unsecured Credentials
5. 05
   Find F5 BIG-IP management UIReconnaissance

   W-RECON-FINGERPRINT— Tech Stack Fingerprinting
6. 06
   Connection-header auth bypassInitial Access

   CVE-F5-BIGIP— F5 BIG-IP iControl REST Auth Bypass (CVE-2022-1388)

§ References

• T1078Valid Accounts
• T1059Command and Scripting Interpreter
• T1539Steal Web Session Cookie
• T1552Unsecured Credentials

§ Frequently asked

What is the "F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB" attack path?

Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Pivot into internal apps (T1078) — a initial access primitive. Assumed environment: target operates F5 BIG-IP load balancers unpatched for CVE-2022-1388.

What is the final impact of this kill-chain?

The final step lands on Connection-header auth bypass (CVE-F5-BIGIP), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach

  Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.

• Shared techniques3

  Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat

  Send a crafted POST that uses Spring's data-binding to mutate Tomcat's logging configuration — turn its access log into a JSP file written under webapps/, then request it.

• Shared techniques3

  FortiGate SSL-VPN pre-auth RCE → config theft

  Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.

• Shared techniques3

  Citrix Bleed → steal authenticated session → MFA bypass

  Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.

• Shared techniques2

  5G core GTP-U user-plane injection → subscriber MITM

  Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.

• Shared techniques2

  nf_tables UAF → kernel R/W → root

  CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.