Recently, F5 made an announcement regarding the discovery and elimination of two critical vulnerabilities in the Big-IP Next Central Manager control system. These vulnerabilities could potentially allow hackers to gain administrative access and create unauthorized accounts on managed devices.
Big-IP Next Central Manager is a crucial tool that enables administrators to efficiently manage copies of Big-IP NEXT in both local and cloud environments through a unified user interface.
The vulnerabilities – SQL Injection (CVE-2024-26026, CVSS: 7.5) and ODATA Injection (CVE-2024-21793, CVSS: 7.5) – were found in the API of Big-IP NEXT Central Manager. This could allow remote attackers to execute malicious SQL queries on devices that have not been updated.
ECLYPSIUM IB, the company that discovered and reported these vulnerabilities, also published POC-Exflict. They highlighted that the hidden accounts created by hackers are not visible in Next Central Manager, making them perfect for malicious activities.
In addition, eclypsium pointed out that the Central Manager control console could be exploited remotely by attackers to gain complete administrative control over the system.
As a precautionary measure, F5 suggests restricting access to Next Central Manager to trusted users via secure networks until the necessary security updates are installed by administrators.
Although there is currently no evidence of these vulnerabilities being exploited in attacks, it is crucial for users to take preventive measures. While the exact number of BIG-IP Next Central Manager users is unknown, Shodan has identified over 10,000 F5 Big-IP devices with open control ports accessible on the internet.