Tag

#big-ip

2 posts tagged #big-ip.

Analysis · May 20, 2026 · analysis-desk

The F5 auth bypass that fit in one header: Connection: X-F5-Auth-Token

CVE-2022-1388 let unauthenticated attackers run commands as root on F5 BIG-IP by abusing hop-by-hop header handling. Naming the auth-token header in the Connection header made the proxy strip it after the auth check read it, but before the backend did.
Field Note · May 20, 2026 · runbook-desk

F5 CVE-2023-46747: the backend trusted a header that said 'I'm already an admin'

The Tomcat backend behind F5's config utility trusted a remote_user header as proof of authentication, assuming only the front-end could set it. HTTP-to-AJP request smuggling let attackers set it themselves, for unauthenticated root. Here's how to check, patch, and lock it down.