F5 on Wednesday announced patches for its BIG-IP Next Central Manager to address potentially dangerous vulnerabilities that experts say could allow attackers to take complete control of a device.
Enterprise firmware and hardware security firm Eclypsium claims to have found a total of five vulnerabilities in the BIG-IP Next Central Manager product, which allows F5 customers to control all of their BIG-IP Next instances and services from a unified management interface.
F5 has only assigned two CVE identifiers and Eclypsium says it’s unclear if the remaining three issues have also been addressed.
One of the patched vulnerabilities is CVE-2024-21793, which F5 has classified as ‘high severity’ and described as an 0Data injection issue that can allow an unauthenticated attacker to execute malicious SQL statements through the Next Central Manager API.
The second fixed security hole, identified as CVE-2024-26026, is a SQL injection vulnerability with similar impact that can also be exploited by an unauthenticated attacker.
F5 says no other products beyond Next Central Manager are impacted by these vulnerabilities.
According to Eclypsium, which published technical details and proof-of-concept (PoC) code for all of the five vulnerabilities on Wednesday, the SQL injection flaws allow a remote attacker to gain full administrative control of a device, while the other weaknesses enable them to create accounts on any F5 asset managed by the Next Central Manager.
“These attacker-controlled accounts would not be visible from the Next Central Manager itself, enabling ongoing malicious persistence within the environment,” Eclypsium explained.
Eclypsium has currently found no evidence of in-the-wild exploitation, but BIG-IP product vulnerabilities are known to have been targeted by threat actors.
Related: Critical Vulnerability Exploited to ‘Destroy’ BIG-IP Appliances
Related: F5 Warns of Critical Remote Code Execution Vulnerability in BIG-IP
Related: Technical Details, IoCs Available for Actively Exploited BIG-IP Vulnerability
