cbcvebase.
CVE-2014-3220
published 2014-05-05

CVE-2014-3220: F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote authenticated users to change the password of arbitrary users via the name parameter in a…

PriorityP355critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
11.00%
95.3th percentile
F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote authenticated users to change the password of arbitrary users via the name parameter in a request to the user's page in mgmt/shared/authz/users/.

Affected

1 ranges
VendorProductVersion rangeFixed in
f5big-iq

Detection & IOCsextracted from sources · hover to see the quote

url/ui/actions/logmein.html
url/mgmt/shared/authz/users/
path/mgmt/shared/authz/users/root
port443
commandPUT /mgmt/shared/authz/users/<username>
  • Detect HTTP PUT requests to /mgmt/shared/authz/users/ where the JSON body 'name' field differs from the authenticated user in the URI path — this indicates privilege escalation via user spoofing.
  • Alert on HTTP PUT requests to /mgmt/shared/authz/users/root from non-root authenticated sessions, indicating an attempt to change the root password.
  • Monitor for POST authentication to /ui/actions/logmein.html followed immediately by PUT requests to /mgmt/shared/authz/users/ — this two-step sequence is the exploit's attack pattern.
  • Detect JSON PUT body containing 'kind':'shared:authz:users:usersworkerstate' with a 'name' field set to 'root' or another privileged user, especially when the selfLink user differs from the URI user.
  • Watch for repeated PUT requests to the same /mgmt/shared/authz/users/ endpoint with incrementing 'generation' values in the JSON body — this is the exploit's generation-correction retry loop.
  • After exploitation, monitor for new SSH (port 22) sessions to the BIG-IQ device originating from the same source IP that performed the /mgmt/shared/authz/users/ PUT requests.
  • ·The exploit requires valid credentials for an existing (non-root) account on the BIG-IQ device; unauthenticated exploitation is not possible.
  • ·The Metasploit module targets BIG-IQ version 4.1.0.2013.0 specifically; the NVD advisory covers the broader range 4.0.0 through 4.1.0.
  • ·SSL must be enabled on the target (port 443); the module defaults to SSL:true and RPORT 443.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.