📄 Description (English)
F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability — F5 BIG-IP and BIG-IQ Centralized Management contain a remote code execution vulnerability in the iControl REST interface that allows unauthenticated attackers with network access to execute system commands, create or delete files, and disable services.
🤖 AI Executive Summary
CVE-2021-22986 is a critical unauthenticated remote code execution vulnerability in F5 BIG-IP and BIG-IQ affecting the iControl REST interface with a CVSS score of 9.0. Attackers can execute arbitrary system commands, manipulate files, and disable services without authentication. This vulnerability poses an immediate threat to Saudi organizations relying on F5 load balancers for critical infrastructure, particularly in banking, government, and energy sectors.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 20, 2026 03:54
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability critically impacts Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), energy sector (ARAMCO and downstream operators), telecommunications (STC, Mobily), and healthcare providers. F5 BIG-IP is widely deployed as a load balancer and security appliance in these sectors. Exploitation could lead to complete compromise of critical services, data exfiltration, lateral movement into internal networks, and service disruption affecting millions of users.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Energy and Utilities
Telecommunications
Healthcare
Large Enterprise IT Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
9.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all F5 BIG-IP and BIG-IQ instances in your environment and document versions
2. Restrict network access to iControl REST interface (port 443) to trusted administrative networks only
3. Implement WAF rules to block suspicious iControl REST requests
4. Enable detailed logging and monitoring of iControl REST API calls
5. Isolate affected systems from production if patching cannot be completed immediately
PATCHING GUIDANCE:
1. Apply F5 security patches immediately: BIG-IP versions 16.1.0-16.1.2, 15.1.0-15.1.4, 14.1.0-14.1.4, 13.1.0-13.1.5, 12.1.0-12.1.6
2. Upgrade to patched versions: 16.1.3, 15.1.5, 14.1.5, 13.1.6, 12.1.7 or later
3. Test patches in non-production environment first
4. Schedule maintenance windows for patching
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement network segmentation restricting iControl REST access
2. Deploy intrusion detection signatures for CVE-2021-22986 exploitation attempts
3. Monitor for POST requests to /mgmt/tm/ltm/virtual endpoints
4. Implement IP whitelisting for iControl REST access
5. Disable iControl REST if not required for operations
DETECTION RULES:
1. Monitor for HTTP POST requests to /mgmt/tm/* endpoints from external sources
2. Alert on successful iControl REST authentication from unusual source IPs
3. Track file creation/deletion in /var/tmp and /tmp directories
4. Monitor for unexpected process execution from tmsh or iControl processes
5. Log all iControl REST API calls with full request/response payloads
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات F5 BIG-IP و BIG-IQ في بيئتك وتوثيق الإصدارات
2. قيد الوصول إلى واجهة iControl REST (المنفذ 443) إلى الشبكات الإدارية الموثوقة فقط
3. طبق قواعد WAF لحجب طلبات iControl REST المريبة
4. فعّل التسجيل والمراقبة التفصيلية لاستدعاءات iControl REST API
5. عزل الأنظمة المتأثرة عن الإنتاج إذا لم يكن يمكن إكمال التصحيح فوراً
إرشادات التصحيح:
1. طبق تصحيحات أمان F5 فوراً: إصدارات BIG-IP 16.1.0-16.1.2، 15.1.0-15.1.4، 14.1.0-14.1.4، 13.1.0-13.1.5، 12.1.0-12.1.6
2. ارقَ إلى الإصدارات المصححة: 16.1.3، 15.1.5، 14.1.5، 13.1.6، 12.1.7 أو أحدث
3. اختبر التصحيحات في بيئة غير الإنتاج أولاً
4. جدول نوافذ الصيانة للتصحيح
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. طبق تقسيم الشبكة مع تقييد الوصول إلى iControl REST
2. نشر توقيعات كشف الاختراق لمحاولات استغلال CVE-2021-22986
3. راقب طلبات HTTP POST إلى نقاط نهاية /mgmt/tm/ltm/virtual من مصادر خارجية
4. طبق القائمة البيضاء للعناوين IP لوصول iControl REST
5. عطّل iControl REST إذا لم تكن مطلوبة للعمليات
قواعد الكشف:
1. راقب طلبات HTTP POST إلى نقاط نهاية /mgmt/tm/* من مصادر خارجية
2. تنبيه عند المصادقة الناجحة لـ iControl REST من عناوين IP غير معتادة
3. تتبع إنشاء/حذف الملفات في دلائل /var/tmp و /tmp
4. راقب تنفيذ العمليات غير المتوقعة من عمليات tmsh أو iControl
5. سجل جميع استدعاءات iControl REST API مع حمولات الطلب/الاستجابة الكاملة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Organization of Information Security
A.8.1.1 - Asset Management
A.12.2.1 - Restrictions on Software Installation
A.12.6.1 - Management of Technical Vulnerabilities
A.13.1.1 - Network Security Perimeter
A.14.2.1 - System Development and Acceptance
🔵 SAMA CSF
Governance and Risk Management - Vulnerability Management
Information and Communications Technology Security - System Hardening
Information and Communications Technology Security - Access Control
Incident Management - Detection and Response
Third-Party Risk Management - Critical Service Provider Security
🟡 ISO 27001:2022
A.5.1 - Management Direction for Information Security
A.8.1 - Asset Management
A.12.2 - Restrictions on Software Installation
A.12.6 - Management of Technical Vulnerabilities
A.13.1 - Network Security Perimeter
A.14.2 - System Development and Acceptance
🟣 PCI DSS v4.0
Requirement 2.2 - Configuration Standards for System Components
Requirement 6.2 - Ensure Security Patches are Installed
Requirement 6.5 - Injection Flaws Prevention
Requirement 11.2 - Vulnerability Scanning
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
F5:BIG-IP and BIG-IQ Centralized Management