CVE-2022-41800

HIGH EXPLOITED NUCLEI

F5 BIG-IP - Authenticated Appliance Mode Bypass via Undisclosed iControl REST Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-41800 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Ron Bowes, including a Metasploit module exploits/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2022-1388 and CVE-2022-41800, targeting F5 BIG-IP products. The exploit chains authentication bypass with command injection to achieve a root reverse shell via the `/mgmt/shared/iapp/rpm-spec-creator` and `/mgmt/shared/iapp/build-package` endpoints.

Description

In all versions of BIG-IP, when running in Appliance mode, an authenticated user assigned the Administrator role may be able to bypass Appliance mode restrictions, utilizing an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Exploits (2)

vulncheck_xdb WORKING POC
remote
https://github.com/j-baines/tippa-my-tongue

This repository contains a functional exploit for CVE-2022-1388 and CVE-2022-41800, targeting F5 BIG-IP products. The exploit chains authentication bypass with command injection to achieve a root reverse shell via the `/mgmt/shared/iapp/rpm-spec-creator` and `/mgmt/shared/iapp/build-package` endpoints.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: F5 BIG-IP (tested on version 16.1.2.1)
No auth needed
Prerequisites: Network access to the target BIG-IP management interface · Python environment with `requests` library
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Ron Bowes · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800.rb

This Metasploit module exploits CVE-2022-41800, a newline injection vulnerability in F5 BIG-IP iControl's RPM .rpmspec file creation, allowing authenticated users to execute arbitrary commands as root. The exploit crafts a malicious .rpmspec file with a '%check' section containing the payload, then triggers RPM build to execute the payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: F5 BIG-IP iControl
Auth required
Prerequisites: Valid iControl credentials · Network access to the target's management interface
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

F5 BIG-IP Appliance Mode - Command Injection
HIGHVERIFIEDby dwisiswant0
Shodan: http.title:"big-ip®-+redirect" +"server" || http.html:"big-ip apm"
FOFA: body="big-ip apm" || title="big-ip®-+redirect" +"server"

References (1)

Core 1
Core References

Scores

CVSS v3 8.7
EPSS 0.6241
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

VulnCheck KEV 2023-12-13
CWE
CWE-77
Status published
Products (21)
f5/big-ip_access_policy_manager 17.0.0
f5/big-ip_access_policy_manager 13.1.0 - 13.1.5
f5/big-ip_advanced_firewall_manager 13.1.0 - 17.0.0
f5/big-ip_analytics 17.0.0
f5/big-ip_analytics 13.1.0 - 13.1.5
f5/big-ip_application_acceleration_manager 17.0.0
f5/big-ip_application_acceleration_manager 13.1.0 - 13.1.5
f5/big-ip_application_security_manager 17.0.0
f5/big-ip_application_security_manager 13.1.0 - 13.1.5
f5/big-ip_domain_name_system 17.0.0
... and 11 more
Published Dec 07, 2022
Tracked Since Feb 18, 2026