CVE-2012-1493

F5 BIG-IP Multiple Versions - Unauthenticated SSH Login via Shared Private Key

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2012-1493. PoCs published by Metasploit, David Kennedy (ReL1K), Florent Daigniere, including Metasploit module exploits/linux/ssh/f5_bigip_known_privkey.

AI-analyzed exploit summary This Metasploit module exploits CVE-2012-1493 by using a hardcoded RSA private key to authenticate as root via SSH on F5 BIG-IP appliances. It establishes an interactive shell session upon successful authentication.

Description

F5 BIG-IP appliances 9.x before 9.4.8-HF5, 10.x before 10.2.4, 11.0.x before 11.0.0-HF2, and 11.1.x before 11.1.0-HF3, and Enterprise Manager before 2.1.0-HF2, 2.2.x before 2.2.0-HF1, and 2.3.x before 2.3.0-HF3, use a single SSH private key across different customers' installations and do not properly restrict access to this key, which makes it easier for remote attackers to perform SSH logins via the PubkeyAuthentication option.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotehardware
https://www.exploit-db.com/exploits/19099

This Metasploit module exploits CVE-2012-1493 by using a hardcoded RSA private key to authenticate as root via SSH on F5 BIG-IP appliances. It establishes an interactive shell session upon successful authentication.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: F5 BIG-IP appliances
No auth needed
Prerequisites: SSH service accessible on port 22 · Target system must be an F5 BIG-IP appliance with the vulnerable key present
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by David Kennedy (ReL1K) · pythonremotehardware
https://www.exploit-db.com/exploits/19091

This exploit leverages a hardcoded RSA private key to bypass authentication on F5 BIG-IP devices, allowing direct SSH access as root. The script automates the process by writing the key to a file, setting permissions, and initiating an SSH connection.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: F5 BIG-IP (versions affected by CVE-2012-1493)
No auth needed
Prerequisites: Network access to the target F5 BIG-IP device · SSH service exposed on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Florent Daigniere · textdoshardware
https://www.exploit-db.com/exploits/19064

This advisory describes an authentication bypass vulnerability in F5 BIG-IP devices, where a hardcoded SSH private key allows unauthenticated root access. The vulnerability affects multiple versions of BIG-IP platforms without SCCP.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: F5 BIG-IP 11.x, 10.x, 9.x
No auth needed
Prerequisites: Network access to the target device · SSH service exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by egypt · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb

This Metasploit module exploits a known private SSH key exposure in F5 BIG-IP appliances, allowing passwordless root authentication. It uses a hardcoded RSA private key to authenticate and establish an interactive shell session.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: F5 BIG-IP appliances
No auth needed
Prerequisites: SSH service accessible on port 22 · Target system using the exposed private key
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

EPSS 0.6308
EPSS Percentile 99.1%

Details

CWE
CWE-255
Status published
Products (44)
f5/big-ip_1000
f5/big-ip_11000
f5/big-ip_11050
f5/big-ip_1500
f5/big-ip_1600
f5/big-ip_2400
f5/big-ip_3400
f5/big-ip_3410
f5/big-ip_3600
f5/big-ip_3900
... and 34 more
Published Jul 09, 2012
Tracked Since Feb 18, 2026