The Confusing History of F5 BIG-IP RCE Vulnerabilities

This report analyzes several F5 BIG-IP vulnerabilities and in-the-wild exploitation attempts — including SSRF-based auth bypass leading to RCE (CVE-2021-22986), header-smuggling auth bypass (CVE-2022-1388), post-auth command injection (CVE-2021-23015), and rpmspec injection (CVE-2022-41800) — providing PoCs, observed HTTP request patterns, and detection/tagging recommendations based on GreyNoise sensor captures.