Threats / F5 / CVE-2021-22986
CVE-2021-22986
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-07
F5 BIG-IP and BIG-IQ Centralized Management vulnerability
F5 BIG-IP and BIG-IQ Centralized Management contain an unauthenticated remote code execution vulnerability in the iControl REST interface allowing attackers to execute commands, manipulate files, and disable services.
Verdict
Today item, not a backlog item.
An unauthenticated network attacker can exploit this authorization bypass to achieve arbitrary code execution on affected load balancers and management systems, enabling full system compromise and lateral movement within critical infrastructure.
01
Is it exploitable?
— the evidence, ranked above the scoreExploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), flagged for known ransomware use.
Probability (EPSS)
EPSS 0.94485 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: F5, BIG-IP and BIG-IQ Centralized Management. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-863 Incorrect Authorization — weakness family: Authorization / access control.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No threat-actor attribution is established from the public feed for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I gain network access to the iControl REST interface without credentials.
Business
Perimeter security controls fail to prevent unauthorized access to critical infrastructure management interfaces.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I execute arbitrary system commands on the target host.
Business
Attackers establish persistent access and control over load balancing and traffic management systems.
3
Lateral reach — past segmentation narrative 3
Attacker
I create, modify, or delete files to maintain persistence and exfiltrate configuration data.
Business
Sensitive network configurations, credentials, and operational data are compromised or destroyed.
4
Data at risk — exfiltration narrative 4
Attacker
I disable security services and monitoring to evade detection.
Business
Security visibility is eliminated, enabling undetected lateral movement and data theft.
5
Lights out — disruption & extortion narrative 5
Attacker
I leverage compromised infrastructure for ransomware deployment or supply chain attacks.
Business
Business operations are disrupted, customer data is at risk, and recovery costs escalate significantly.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05
Coverage & confidence
— what we know, and what we don’tEstablished (cited)
Coverage gaps — stated, not hidden
Disclosure & credit2
Catalogued by f5CNA
Credited with finding itNo finder named in the public CVE record — the work behind this find is unattributed.