What vulnerabilities were patched by F5 in the BIG-IP Next Central Manager?

F5 has patched two high-severity vulnerabilities in the BIG-IP Next Central Manager: CVE-2024-26026, an SQL injection vulnerability, and CVE-2024-21793, an OData injection vulnerability. Both vulnerabilities have a CVSS score of 7.5 and could allow attackers to take administrative control of devices and create hidden rogue accounts on managed assets.

What mitigation strategies are recommended if the patch cannot be immediately applied?

If users are unable to immediately apply the patch, it is recommended to restrict access to the BIG-IP Next Central Manager to trusted zones as a temporary mitigation strategy.

Where can users find the patch to fix these vulnerabilities?

F5 has released patches in version 20.2.0 of the BIG-IP Next Central Manager software to fix these vulnerabilities.

Are there any proof-of-concept (PoC) exploits available for these vulnerabilities?

Yes, Eclypsium security researchers have released proof-of-concept (PoC) exploits for the vulnerabilities.

Advisory

F5 patches severe flaws in BIG-IP Next Central Manager

Q: What are the potential impacts of exploiting these vulnerabilities in the BIG-IP Next Central Manager?

Exploiting these vulnerabilities could enable unauthenticated attackers to remotely execute malicious SQL statements, gain full administrative rights, and establish persistent backdoors in the form of invisible accounts on any BIG-IP Next asset managed by the affected Central Manager.

published: May 8, 2024

Learn More

F5 has patched two high-severity vulnerabilities in the BIG-IP Next Central Manager, both of which could allow attackers to take administrative control of devices and create hidden rogue accounts on managed assets.

These vulnerabilities are tracked as:

CVE-2024-26026 (CVSS score 7.5): An SQL injection vulnerability that could be exploited to execute arbitrary SQL commands, potentially leading to unauthorized access and control over the system.
CVE-2024-21793 (CVSS score 7.5): An OData injection vulnerability that could be exploited to manipulate OData queries and execute unauthorized commands.

These flaws could enable unauthenticated attackers to remotely execute malicious SQL statements, gain full administrative rights and establish persistent backdoors in the form of invisible accounts on any BIG-IP Next asset managed by the affected Central Manager.

Eclypsium security researchers have released PoC for the flaws.

F5 released patches in version 20.2.0 of the software to fix these vulnerabilities. If users are unable to immediately apply the patch should restrict access to the Next Central Manager to trusted zones as a temporary mitigation strategy.

F5 patches severe flaws in BIG-IP Next Central Manager

Read More
F5 BIG-IP Vulnerabilities actively exploited by hacker groups
Fortinet patches critical remote code execution and data …
WatchGuard Firebox reported having well-known default credentials, vendor …
Multiple Citrix products reported vulnerable to regreSSHion flaw
Fortinet FortiManager vulnerability allows remote command execution