Rapid7 Vulnerability & Exploit Database

F5 iControl REST Unauthenticated SSRF Token Generation RCE

Back to Search

F5 iControl REST Unauthenticated SSRF Token Generation RCE



This module exploits a pre-auth SSRF in the F5 iControl REST API's /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that can be used to execute root commands on an affected BIG-IP or BIG-IQ device. This vulnerability is known as CVE-2021-22986. CVE-2021-22986 affects the following BIG-IP versions: * 12.1.0 - 12.1.5 * 13.1.0 - 13.1.3 * 14.1.0 - 14.1.3 * 15.1.0 - 15.1.2 * 16.0.0 - 16.0.1 And the following BIG-IQ versions: * 6.0.0 - 6.1.0 * 7.0.0 * 7.1.0 Tested against BIG-IP Virtual Edition 16.0.1 in VMware Fusion.


  • wvu <wvu@metasploit.com>
  • Rich Warren




cmd, x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/http/f5_icontrol_rest_ssrf_rce
msf exploit(f5_icontrol_rest_ssrf_rce) > show targets
msf exploit(f5_icontrol_rest_ssrf_rce) > set TARGET < target-id >
msf exploit(f5_icontrol_rest_ssrf_rce) > show options
    ...show and set options...
msf exploit(f5_icontrol_rest_ssrf_rce) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security