Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2015-3628

CWE-2644 documents4 sources
Severity
9.0CRITICAL
EPSS
75.2%
top 1.12%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
18
F5 Big-ip Access Policy ManagerF5 Big-ip Advanced Firewall ManagerF5 Big-ip Analytics+15 more
Timeline
PublishedDec 7
Latest updateMay 14

Description

The iControl API in F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM 11.3.0 before 11.5.3 HF2 and 11.6.0 before 11.6.0 HF6, BIG-IP AAM 11.4.0 before 11.5.3 HF2 and 11.6.0 before 11.6.0 HF6, BIG-IP Edge Gateway, WebAccelerator, and WOM 11.3.0, BIG-IP GTM 11.3.0 before 11.6.0 HF6, BIG-IP PSM 11.3.0 through 11.4.1, Enterprise Manager 3.1.0 through 3.1.1, BIG-IQ Cloud and Security 4.0.0 through 4.5.0, BIG-IQ Device 4.2.0 through 4.5.0, and BIG-IQ ADC 4.5.0 allows remote authenticate

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 8.0 | Impact: 10.0

Affected Packages18 packages

NVDf5/big-ip_link_controller8 versions+7
NVDf5/big-ip_enterprise_manager3.0.0, 3.1.0, 3.1.1+2
NVDf5/big-iq_cloud6 versions+5

🔴Vulnerability Details

2
GHSA
GHSA-fv4r-7842-6m86: The iControl API in F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM 112022-05-14
CVEList
CVE-2015-3628: The iControl API in F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM 112015-12-07

💥Exploits & PoCs

1
Exploit-DB
F5 iControl - 'iCall::Script' Root Command Execution (Metasploit)2015-11-19
CVE-2015-3628 (CRITICAL CVSS 9) | The iControl API in F5 BIG-IP LTM | cvebase.io