System scan (Robert Lucian Crusitu/

Massive vulnerability uncovered in popular networking device

A particularly dangerous vulnerability has been uncovered in F5’s BIG-IP networking devices produced by F5, impacting enterprise networks across the globe.

According to F5, the remote code execution vulnerability exists in the traffic management user interface of the company’s BIG-IP networking devices, allowing unauthenticated attackers to launch RCE attacks, including creating or deleting files, disabling services and issuing other arbitrary system commands.

The vulnerability was rated “critical” and given a 10/10, the highest possible severity score, by the Common Vulnerability Scoring System. A patch was quickly developed, but information security professionals say the attack is simple to carry out and organizations may have already missed their opportunity to avoid exploitation. 

Federal cybersecurity agencies sounded the alarm because the networking devices are a popular choice to support many enterprise; researchers have found thousands of such devices connected to the internet through Shodan. Government contracting records show a number of agencies that have either procured F5 BIG-IP devices or maintenance services for existing devices over the past five years, including the Departments of Commerce, Defense, State, multiple branches of the military, the FBI and a number of smaller agencies.

On July 3, U.S. Cyber Command advised organizations to “remediate immediately,” adding that patching the vulnerabilities “should not be postponed over the weekend.” The Cybersecurity and Infrastructure Security Agency put out an alert encouraging users to patch, and CISA Director Chris Krebs said his organization was already seeing reports of active scanning and possible exploitation of the vulnerability. Over the weekend, Krebs warned the “pre-exploit window to patch [is] slamming shut right in front of your eyes” and that organizations that hasn’t patched their devices by Sunday morning should “assume compromise.”

Curtis Dukes, former head of the Information Assurance Directorate at NSA and executive vice president at the Center for Internet Security, said that F5 BIG-IP devices are used by most large organizations, including major cloud service providers. Because it’s an RCE vulnerability, attacks can reach any device connected to the internet, regardless of where the attacker or device is located. A simple HTTP request can give attackers access to the server, where they can carry out credential theft, denial of service, file exfiltration or other attacks. He also highlighted cloud service providers and government entities that manage large datasets as particularly at-risk.

“Pretty much every industry sector uses the device and is likely susceptible -- if they are internet-facing -- to an attack,” Dukes said.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected