Critical F5 Vulnerabilities: Hackers Could Take Over Devices

F5 has announced the rectification of two critical vulnerabilities in the BIG-IP Next Central Manager system, which could have been exploited to gain administrative access and create covert unauthorized accounts on managed devices.

The BIG-IP Next Central Manager serves as a tool that enables administrators to manage BIG-IP Next instances across both on-premises and cloud environments via a unified user interface.

The vulnerabilities—an SQL injection (CVE-2024-26026, CVSS score: 7.5) and an OData injection (CVE-2024-21793, CVSS score: 7.5)—discovered in the API of BIG-IP Next Central Manager, could allow a remote, unauthenticated attacker to execute malicious SQL queries on devices that have not been updated.

Cybersecurity firm Eclypsium, which reported these vulnerabilities and published a Proof of Concept (PoC) exploit, noted that the hidden accounts created post-hack are not visible in Next Central Manager and could be used for malicious activities within the victim’s environment.

Eclypsium also added that the Central Manager console could be remotely used by any attacker to gain complete administrative control over the system.

As a temporary security measure, F5 recommends that access to the Next Central Manager be limited to trusted users via secure networks until administrators can apply the security updates.

According to Eclypsium, there is currently no evidence that the vulnerabilities have been exploited in attacks. Although there is no precise data on the number of BIG-IP Next Central Manager users, Shodan reports tracking over 10,000 F5 BIG-IP devices with open management ports on the internet.