Rapid7 Analysis: K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Description

On March 10, 2021, F5 published a security advisory overview of 21 CVEs in its products, 4 of which are rated “Critical” as per CVSSv3. CVE-2021-22986, an unauthenticated remote command execution in the iControl REST API, is the most severe of these vulnerabilities, with a CVSSv3 base score of 9.8. Successful exploitation of CVE-2021-22986 results in root access to an affected BIG-IP or BIG-IQ device. More information on recent F5 vulnerability disclosures is available here.

NCC Group has an excellent blog post documenting CVE-2021-22986’s developments, including indicators of compromise (IOCs) and detections for known attack vectors.

As of March 20, remote code execution (RCE) proof-of-concept (PoC) code for CVE-2021-22986 is publicly available, and widespread exploitation is being seen by multiple organizations. Rapid7 urges F5 customers to patch their BIG-IP and BIG-IQ devices on an emergency basis.

Affected products

CVE-2021-22986 affects the following BIG-IP versions:

12.1.0 - 12.1.5
13.1.0 - 13.1.3
14.1.0 - 14.1.3
15.1.0 - 15.1.2
16.0.0 - 16.0.1

And the following BIG-IQ versions:

6.0.0 - 6.1.0
7.0.0
7.1.0

Rapid7 analysis

Please see this AttackerKB assessment for a detailed technical analysis of CVE-2021-22986. PoCs and corresponding IOCs are included.

Guidance

Fixes for CVE-2021-22986 were introduced in the following BIG-IP versions:

12.1.5.3
13.1.3.6
14.1.4
15.1.2.1
16.0.1.1

And the following BIG-IQ versions:

7.0.0.2
7.1.0.3
8.0.0

Note that the 6.x branch did not receive any fixes for CVE-2021-22986. Rapid7 recommends upgrading to the latest version on a supported branch. Furthermore, care should be taken not to unnecessarily expose BIG-IP or BIG-IQ devices to the internet.

References

https://support.f5.com/csp/article/K02566623 (K02566623: Overview of F5 vulnerabilities (March 2021))
https://support.f5.com/csp/article/K03009991 (K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986)
https://attackerkb.com/assessments/f6b19d24-b24e-4abd-98cf-2988d7424311
https://blog.rapid7.com/2021/03/18/f5-discloses-eight-vulnerabilities-including-four-critical-ones-in-big-ip-systems/
https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/

Rapid7 Analysis: K03009991: iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Description

Affected products

Rapid7 analysis

Guidance

References

Article Tags

Related blog posts

Criminal AI-as-a-Service in 2026: How the Underground Market Is Operationalizing Cybercrime

CVE-2026-0826: How an Old Bug Can Feed AI-Powered Impersonation

CVE-2026-0826: Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (FIXED)

CVE-2026-52806: Authenticated RCE via Argument Injection in Gogs (FIXED as of June 7, 2026)

Related blog posts

Criminal AI-as-a-Service in 2026: How the Underground Market Is Operationalizing Cybercrime

CVE-2026-0826: How an Old Bug Can Feed AI-Powered Impersonation

CVE-2026-0826: Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (FIXED)

CVE-2026-52806: Authenticated RCE via Argument Injection in Gogs (FIXED as of June 7, 2026)