CVE-2021-22986

Known Exploited (CISA KEV)CRITICAL

9.8

CVSS Severity Score

EPSS Score27.6280%

EPSS Percentile94.45th

PublishedMar 31, 2021

Last ModifiedOct 27, 2025

Vulnerability Description

On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

Affected Platforms (CPE)

📦

Big Ip Access Policy Manager

>= 12.1.0 and < 12.1.5.3

📦

Big Ip Access Policy Manager

>= 13.1.0 and < 13.1.3.6

📦

Big Ip Access Policy Manager

>= 14.1.0 and < 14.1.4

📦

Big Ip Access Policy Manager

>= 15.1.0 and < 15.1.2.1

📦

Big Ip Access Policy Manager

>= 16.0.0 and < 16.0.1.1

📦

Big Ip Advanced Firewall Manager

>= 12.1.0 and < 12.1.5.3

📦

Big Ip Advanced Firewall Manager

>= 13.1.0 and < 13.1.3.6

📦

Big Ip Advanced Firewall Manager

>= 14.1.0 and < 14.1.4

📦

Big Ip Advanced Firewall Manager

>= 15.1.0 and < 15.1.2.1

📦

Big Ip Advanced Firewall Manager

>= 16.0.0 and < 16.0.1.1

📦

Big Ip Advanced Web Application Firewall

>= 12.1.0 and < 12.1.5.3

📦

Big Ip Advanced Web Application Firewall

>= 13.1.0 and < 13.1.3.6

📦

Big Ip Advanced Web Application Firewall

>= 14.1.0 and < 14.1.4

📦

Big Ip Advanced Web Application Firewall

>= 15.1.0 and < 15.1.2.1

📦

Big Ip Advanced Web Application Firewall

>= 16.0.0 and < 16.0.1.1

📦

Big Ip Analytics

>= 12.1.0 and < 12.1.5.3

📦

Big Ip Analytics

>= 13.1.0 and < 13.1.3.6

📦

Big Ip Analytics

>= 14.1.0 and < 14.1.4

📦

Big Ip Analytics

>= 15.1.0 and < 15.1.2.1

📦

Big Ip Analytics

>= 16.0.0 and < 16.0.1.1

📦

Big Ip Application Acceleration Manager

>= 12.1.0 and < 12.1.5.3

📦

Big Ip Application Acceleration Manager

>= 13.1.0 and < 13.1.3.6

📦

Big Ip Application Acceleration Manager

>= 14.1.0 and < 14.1.4

📦

Big Ip Application Acceleration Manager

>= 15.1.0 and < 15.1.2.1

📦

Big Ip Application Acceleration Manager

>= 16.0.0 and < 16.0.1.1

📦

Big Ip Application Security Manager

>= 12.1.0 and < 12.1.5.3

📦

Big Ip Application Security Manager

>= 13.1.0 and < 13.1.3.6

📦

Big Ip Application Security Manager

>= 14.1.0 and < 14.1.4

📦

Big Ip Application Security Manager

>= 15.1.0 and < 15.1.2.1

📦

Big Ip Application Security Manager

>= 16.0.0 and < 16.0.1.1

📦

Big Ip Ddos Hybrid Defender

>= 12.1.0 and < 12.1.5.3

📦

Big Ip Ddos Hybrid Defender

>= 13.1.0 and < 13.1.3.6

📦

Big Ip Ddos Hybrid Defender

>= 14.1.0 and < 14.1.4

📦

Big Ip Ddos Hybrid Defender

>= 15.1.0 and < 15.1.2.1

📦

Big Ip Ddos Hybrid Defender

>= 16.0.0 and < 16.0.1.1

📦

Big Ip Domain Name System

>= 12.1.0 and < 12.1.5.3

📦

Big Ip Domain Name System

>= 13.1.0 and < 13.1.3.6

📦

Big Ip Domain Name System

>= 14.1.0 and < 14.1.4

📦

Big Ip Domain Name System

>= 15.1.0 and < 15.1.2.1

📦

Big Ip Domain Name System

>= 16.0.0 and < 16.0.1.1

📦

Big Ip Fraud Protection Service

>= 12.1.0 and < 12.1.5.3

📦

Big Ip Fraud Protection Service

>= 13.1.0 and < 13.1.3.6

📦

Big Ip Fraud Protection Service

>= 14.1.0 and < 14.1.4

📦

Big Ip Fraud Protection Service

>= 15.1.0 and < 15.1.2.1

📦

Big Ip Fraud Protection Service

>= 16.0.0 and < 16.0.1.1

📦

Big Ip Global Traffic Manager

>= 12.1.0 and < 12.1.5.3

📦

Big Ip Global Traffic Manager

>= 13.1.0 and < 13.1.3.6

📦

Big Ip Global Traffic Manager

>= 14.1.0 and < 14.1.4

📦

Big Ip Global Traffic Manager

>= 15.1.0 and < 15.1.2.1

📦

Big Ip Global Traffic Manager

>= 16.0.0 and < 16.0.1.1

📦

Big Ip Link Controller

>= 12.1.0 and < 12.1.5.3

📦

Big Ip Link Controller

>= 13.1.0 and < 13.1.3.6

📦

Big Ip Link Controller

>= 14.1.0 and < 14.1.4

📦

Big Ip Link Controller

>= 15.1.0 and < 15.1.2.1

📦

Big Ip Link Controller

>= 16.0.0 and < 16.0.1.1

📦

Big Ip Local Traffic Manager

>= 12.1.0 and < 12.1.5.3

📦

Big Ip Local Traffic Manager

>= 13.1.0 and < 13.1.3.6

📦

Big Ip Local Traffic Manager

>= 14.1.0 and < 14.1.4

📦

Big Ip Local Traffic Manager

>= 15.1.0 and < 15.1.2.1

📦

Big Ip Local Traffic Manager

>= 16.0.0 and < 16.0.1.1

📦

Big Ip Policy Enforcement Manager

>= 12.1.0 and < 12.1.5.3

📦

Big Ip Policy Enforcement Manager

>= 13.1.0 and < 13.1.3.6

📦

Big Ip Policy Enforcement Manager

>= 14.1.0 and < 14.1.4

📦

Big Ip Policy Enforcement Manager

>= 15.1.0 and < 15.1.2.1

📦

Big Ip Policy Enforcement Manager

>= 16.0.0 and < 16.0.1.1

📦

Big Iq Centralized Management

>= 6.0.0 and < 6.1.0

📦

Big Iq Centralized Management

>= 7.0.0 and < 7.0.0.2

📦

Big Iq Centralized Management

>= 7.1.0 and < 7.1.0.3

📦

Ssl Orchestrator

>= 12.1.0 and < 12.1.5.3

📦

Ssl Orchestrator

>= 13.1.0 and < 13.1.3.6

📦

Ssl Orchestrator

>= 14.1.0 and < 14.1.4

📦

Ssl Orchestrator

>= 15.1.0 and < 15.1.2.1

📦

Ssl Orchestrator

>= 16.0.0 and < 16.0.1.1

References & Advisories

🔗 http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html

🔗 http://packetstormsecurity.com/files/162066/F5-BIG-IP-16.0.x-Remote-Code-Execution.html

🔗 https://support.f5.com/csp/article/K03009991

🔗 http://packetstormsecurity.com/files/162059/F5-iControl-Server-Side-Request-Forgery-Remote-Command-Execution.html

🔗 http://packetstormsecurity.com/files/162066/F5-BIG-IP-16.0.x-Remote-Code-Execution.html

🔗 https://support.f5.com/csp/article/K03009991

🔗 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22986

Vulnerability Description

Affected Platforms (CPE)

Big Ip Access Policy Manager

Big Ip Access Policy Manager

Big Ip Access Policy Manager

Big Ip Access Policy Manager

Big Ip Access Policy Manager

Big Ip Advanced Firewall Manager

Big Ip Advanced Firewall Manager

Big Ip Advanced Firewall Manager

Big Ip Advanced Firewall Manager

Big Ip Advanced Firewall Manager

Big Ip Advanced Web Application Firewall

Big Ip Advanced Web Application Firewall

Big Ip Advanced Web Application Firewall

Big Ip Advanced Web Application Firewall

Big Ip Advanced Web Application Firewall

Big Ip Analytics

Big Ip Analytics

Big Ip Analytics

Big Ip Analytics

Big Ip Analytics

Big Ip Application Acceleration Manager

Big Ip Application Acceleration Manager

Big Ip Application Acceleration Manager

Big Ip Application Acceleration Manager

Big Ip Application Acceleration Manager

Big Ip Application Security Manager

Big Ip Application Security Manager

Big Ip Application Security Manager

Big Ip Application Security Manager

Big Ip Application Security Manager

Big Ip Ddos Hybrid Defender

Big Ip Ddos Hybrid Defender

Big Ip Ddos Hybrid Defender

Big Ip Ddos Hybrid Defender

Big Ip Ddos Hybrid Defender

Big Ip Domain Name System

Big Ip Domain Name System

Big Ip Domain Name System

Big Ip Domain Name System

Big Ip Domain Name System

Big Ip Fraud Protection Service

Big Ip Fraud Protection Service

Big Ip Fraud Protection Service

Big Ip Fraud Protection Service

Big Ip Fraud Protection Service

Big Ip Global Traffic Manager

Big Ip Global Traffic Manager

Big Ip Global Traffic Manager

Big Ip Global Traffic Manager

Big Ip Global Traffic Manager

Big Ip Link Controller

Big Ip Link Controller

Big Ip Link Controller

Big Ip Link Controller

Big Ip Link Controller

Big Ip Local Traffic Manager

Big Ip Local Traffic Manager

Big Ip Local Traffic Manager

Big Ip Local Traffic Manager

Big Ip Local Traffic Manager

Big Ip Policy Enforcement Manager

Big Ip Policy Enforcement Manager

Big Ip Policy Enforcement Manager

Big Ip Policy Enforcement Manager

Big Ip Policy Enforcement Manager

Big Iq Centralized Management

Big Iq Centralized Management

Big Iq Centralized Management

Ssl Orchestrator

Ssl Orchestrator

Ssl Orchestrator

Ssl Orchestrator

Ssl Orchestrator

References & Advisories

Related Vulnerabilities