CISA and MS-ISAC Publish Joint Cybersecurity Advisory on Threat Actors Exploiting F5 BIG-IP (CVE-2022-1388)

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing a joint Cybersecurity Advisory (CSA) (attached) in response to active exploitation of CVE-2022-1388. This recently disclosed vulnerability in certain versions of F5 Networks, Inc., (F5) BIG-IP enables an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses.

Due to previous exploitation of F5 BIG-IP vulnerabilities, CISA and MS-ISAC assess that unpatched F5 BIG-IP devices are an attractive target and that organizations that have not applied the patch are vulnerable to actors taking control of their systems.

According to public reporting, there is active exploitation of this vulnerability, and CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks.

To mitigate this threat, CISA and MS-ISAC recommend organizations upgrade F5 BIG-IP software to fixed versions. Additionally, organizations using versions 12.1.x and 11.6.x should upgrade to supported versions. If unable to immediately patch, organizations should implement F5’s temporary workarounds outlined in the joint advisory. Other actions administrators can take include not exposing management interfaces to the internet, enforcing multi-factor authentication (MFA), and consider using CISA’s Cyber Hygiene Services.

If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA, Threat Actors Exploiting F5 BIG-IP (CVE-2022-1388), such as:

  • quarantine or take offline potentially affected hosts,
  • reimage compromised hosts,
  • provision new account credentials,
  • limit access to the management interface, and
  • collect and review artifacts.

Organizations are encouraged to review the advisory for complete details. Also, organizations are also reminded to report the compromise or any anomalous activity to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). State, local, tribal, or territorial (SLTT) government entities can also report to MS-ISAC (SOC@cisecurity.org or 866-787-4722).

Your support to amplify this advisory through your communications and social media channels is appreciated. And as always, thank you for your continued collaboration.

https://www.cisa.gov/uscert/ncas/alerts/aa22-138a