CVE-2022-35243
HIGHBIG-IP 13.1.x < 13.1.5, 14.1.x < 14.1.5, 15.1.x < 15.1.5.1, 16.1.x < 16.1.3 - Privilege Escalation via iControl REST
Title source: llmDescription
In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.5.1, 14.1.x before 14.1.5, and all versions of 13.1.x, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, using an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://support.f5.com/csp/article/K11010341
Scores
CVSS v3
8.7
EPSS
0.0044
EPSS Percentile
63.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Details
CWE
CWE-269
Status
published
Products (11)
f5/big-ip_access_policy_manager
13.1.0 - 13.1.5
f5/big-ip_advanced_firewall_manager
13.1.0 - 13.1.5
f5/big-ip_analytics
13.1.0 - 13.1.5
f5/big-ip_application_acceleration_manager
13.1.0 - 13.1.5
f5/big-ip_application_security_manager
13.1.0 - 13.1.5
f5/big-ip_domain_name_system
13.1.0 - 13.1.5
f5/big-ip_fraud_protection_service
13.1.0 - 13.1.5
f5/big-ip_global_traffic_manager
13.1.0 - 13.1.5
f5/big-ip_link_controller
13.1.0 - 13.1.5
f5/big-ip_local_traffic_manager
13.1.0 - 13.1.5
... and 1 more
Published
Aug 04, 2022
Tracked Since
Feb 18, 2026