A Major F5 Vulnerability was Exploited to Attack and Wipe Devices

A Major F5 Vulnerability was Exploited to Attack and Wipe Devices

In destructive assaults, a recently reported F5 BIG-IP vulnerability was used to delete a device's file system and render the server useless.

Last week, F5 reported CVE-2022-1388, which allows remote attackers to execute commands as 'root' on BIG-IP network devices without authentication. F5 advised administrators to deploy patches as soon as possible due to the bug's serious nature.

Researchers began posting exploits on Twitter and GitHub a few days later, and threat actors used them in attacks across the Internet.


While most assaults drop web shells for initial network access, acquire SSH keys, and enumerate system information, the SANS Internet Storm Center detected two attacks that targeted BIG-IP devices more maliciously.

SANS notified BleepingComputer that their honeypots detected two attacks from IP address 177.54.127[.]111, which ran the command 'rm -rf /*' on the targeted BIG-IP device.

When you use this command, it will attempt to delete all files on the Linux file system of the BIG-IP devices.

Because the exploit grants attackers root access to the Linux operating systems that run BIG-IP devices, the rm -rf /* command can remove any file, even configuration files that are essential for the device to function correctly.

Security researcher Kevin Beaumont confirmed that devices were being wiped this evening after publishing our story.

"I can attest. This tonight, real-world gadgets are being wiped, and many on Shodan have stopped responding, "Beaumont tweeted.

These harmful attacks are not widespread, as most threat actors are more interested in gaining access to the devices than in causing damage.

Bad Packets and GreyNois, two cybersecurity threat intelligence services, told BleepingComputer that they had not witnessed any harmful attacks.

The attacks drop web shells, exfiltrate configs, or run commands to create admin accounts on the devices, according to GreyNois researcher Kimber.

While SANS' destructive attacks are uncommon, they should be enough to motivate administrators to keep their devices up to speed with the latest patch levels.


F5 told BleepingComputer that they are in contact with SANS and encouraged administrators not to expose the BIG-IP administration interface to the Internet when we contacted them about the devastating attacks.

"SANS has been contacted, and the problem is being investigated. Customers should update to a corrected version of BIG-IP or adopt one of the mitigations mentioned in the security advisory if they have not already done so. We encourage clients to never expose their BIG-IP management interface (TMUI) to the public internet and to implement suitable access controls." - F5

It's worth noting that Beaumont discovered that assaults could also affect devices on non-management ports if they're misconfigured.

F5 notified BleepingComputer that their Security Incident Response Team is accessible 24 hours a day, seven days a week, and can be reached at (888) 882-7535, (800) 11-275-435, or online for individuals affected by assaults on their BIG-IP equipment.

Sandfly Security founder Craig Rowland is offering test licenses to F5 BIG-IP administrators who are concerned their devices have already been infected.

1 ratings
Paul Syverson
Paul Syverson
Paul Syverson is the founder of Product Reviews. Paul is a computer scientist; he used to carry out a handful of significant studies which contributed to bringing in many special features on the site. He has a huge passion for computers and other tech products. He is always diligent in delivering quality writings to bring the most value to people.