The F5 Networks Tower is seen in Seattle. (F5 Networks)

Multiple industry outlets reported Monday that threat actors have started exploiting the critical vulnerability tracked as CVE-2022-1388, which affects many versions of F5’s BIG-IP devices.

This latest news followed reports over the weekend by the Horizon3 Attack Team and Positive Technologies’ PT Swarm that they had created working exploits and urged security teams to immediately patch the critical vulnerability, which has a 9.8 severity rating.

The patches are readily available, as F5 released them last week and the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory with a link to the patches. Also on Monday, Randori posted a detailed blog and analysis of the BIG-IP vulnerability.

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, said that several security researchers have shared how quickly they were able to create a working exploit for the vulnerability. Hoffman said there are also many GitHub repositories already containing alleged exploits as well.

“Although mass scanning activity for this vulnerability has not yet been detected, it’s likely only a matter of time before this activity begins,” Hoffman said. “Ransomware groups have a history of exploiting vulnerabilities, especially high-profile ones like the BIG-IP vulnerability. Given the dwell time of most ransomware attacks and the lack of reporting, it may be some time before reports of ransomware groups exploiting this vulnerability hit the news.”

It’s useful to understand the root cause of the Big IP problem, said Mike Parkin, senior technical engineer at Vulcan Cyber, who added that the relative ease with which it was found makes it likely that threat actors will reach the same conclusions and develop exploits themselves. 

“Since mitigations and updates are already available, this revelation should serve as a reminder to get these patches and mitigations in place quickly,” Parkin said.