Home / exploitsPDF  

F5 iControl Server-Side Request Forgery / Remote Command Execution

Posted on 01 April 2021

This Metasploit module exploits a pre-authentication server-side request forgery vulnerability in the F5 iControl REST API's /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that can be used to execute root commands on an affected BIG-IP or BIG-IQ device.

 

TOP