Threat Signals

Actionable intelligence on real-world threats as they unfold. Get insights into attacker behavior, infrastructure, exploitation of zero-days and n-days, temporal pattern, and geographic hotspots — all sourced from GreyNoise’s Global Observation Grid (GOG). Stay ahead of emerging threats, block malicious IPs, and understand what’s happening in the moment.

Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public

GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept (PoC) was released on July 4.

We created a tag on July 7 to track this activity. Because GreyNoise retroactively associates pre-tag traffic with new tags, prior exploitation attempts are now visible in the GreyNoise Visualizer.

‍

Key Observations

First observed activity: June 23, 2025
PoC released: July 4, 2025
GreyNoise tag published: July 7, 2025
CISA confirms activity with GreyNoise: July 9, 2025 (prior to KEV addition)

‍

TRACK MALICIOUS IPS BLOCK MALICIOUS IPS

‍

‍

Targeted Behavior

Early exploitation attempts came from malicious IPs geolocated in China. Rather than exploiting indiscriminately, these IPs targeted GreyNoise sensors configured to emulate Citrix NetScaler appliances, suggesting deliberate targeting.

‍

CISA Confirmation

On July 9, shortly after we published the tag, CISA contacted GreyNoise to confirm exploitation activity. CVE-2025-5777 was subsequently added to the Known Exploited Vulnerabilities (KEV) catalog.

‍

Recommended Actions

Defenders can dynamically block malicious IPs to reduce exposure and suppress alerts.

‍

TRACK MALICIOUS IPS BLOCK MALICIOUS IPS

‍

The above list will stay updated as new IPs are observed attempting to exploit CVE-2025-5777.

‍

‍GreyNoise has developed an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more about GreyNoise Block.

‍

— — —

‍

^{Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.}

Noah Stone

Jul 16, 2025

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Vulnerability — OpenSSL v3 (<v3.0.7) Buffer Overflow (SpookySSL)

This blog will be updated as new information becomes available

Based on our current understanding of the vulnerabilities, CVE-2022-3786 and CVE-2022-3602, patched in OpenSSL 3.0.7, GreyNoise is unlikely to observe opportunistic mass exploitation in the wild.

What is being patched?

On Oct 25, 2022 the OpenSSL project authors announced via mailing list that OpenSSL 3.0.7 would become available on Nov 1st, 2022 between 1300-1700 UTC and include a high severity, marked HIGH, security-fix

The release occurred on Nov 1st, 2022, at 1600 ET and includes fixes for affected versions v3.0.x through v3.0.6. The patch, available here, addresses following issues:

Added RIPEMD160 to the default provider.
Fixed regressions introduced in 3.0.6 version.
Fixed two buffer overflows in punycode decoding functions. CVE-2022-3786 and CVE-2022-3602.

OpenSSL is a library that provides general purpose cryptographic functions. As with any usage of cryptographic operations, there is a reasonable expectation that operation involves sensitive data and any disclosure of information is highly problematic in nature.

The full change log provides the full description of both vulnerabilities as follows:

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer.

In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

An attacker can craft a malicious email address to overflow an arbitrary number of bytes containing the `.` character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). ([CVE-2022-3786])

An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution depending on stack layout for any given platform/compiler. ([CVE-2022-3602])

‍

For additional details, see OpenSSL Security Advisory [01 November 2022].

Am I impacted?

OpenSSL is a library and toolkit that can be used in a variety of ways. The most common integration scopes are via the System, or as a Dynamically or Statically linked library. The security vulnerabilities addressed in today’s patch address versions v3.0.x through v3.0.6. If you are not utilizing a version within that range then you are not affected by these vulnerabilities.

System

If OpenSSL is installed as a toolkit on your system you can quickly check by running the command openssl version which will report back the installed system version.

Dynamically or Statically Linked

When OpenSSL is utilized as a library in a larger program it can be linked Statically or Dynamically.

When OpenSSL is statically linked, the library is bundled into the resulting executable of program when it is compiled, making the single executable contain all of the needed functionality as a single file.

When OpenSSL is dynamically linked, the library is expected to already exist on the system for which the program is expected to run. When the program is executed it searches a list of filesystem paths to locate the OpenSSL library and loads it as needed.

If you have access to the source code for the program you wish to evaluate for this vulnerability, the best way way is check for usage of the openssl3 library in the dependencies.

If you do not have access to source code, we recommend reaching out to the software vendor to ask for an evaluation and corresponding announcement. There are operating system specific methods to attempt to evaluate this yourself, but they require a more complex understanding of how libraries are loaded when a program is run. We recommend reaching out to the software vendor and requesting an announcement if you believe the software may be impacted. The software vendor should be able to answer in confidence.

What does this look like in the real world?

OpenSSL 3.0.0 was released in September 2021 meaning that its usage is not as pervasive in older, more widely deployed software. For more details, see Censys’ blog regarding potentially vulnerable OpenSSL 3.x enabled devices.

In a self-evaluation of all of GreyNoise’s infrastructure which included our wide array of honeypot style sensors spread across a large variety of operating systems and cloud providers we did not identify any usage of vulnerable versions of OpenSSL v3.0.x

This will not hold true of all organizations, but it is a data-point we can provide at this time.

What are next steps?

Evaluate your environment for usage of OpenSSL <v3.0.7
Update dependencies to utilize OpenSSL v3.0.7+
Contact software vendor for support if you believe a vulnerable version of OpenSSL is statically linked to software your organization runs.

References

OpenSSL provides an official security advisory and patch.
DataDog Security Labs provides an deep dive on the vulnerability and proof-of-concept.
NCSC-NL is maintaining a list of software/hardware and impact status.
Royce Williams is maintaining a similar list along with other resources.

The GreyNoise Team

Nov 1, 2022

Vulnerability - FortiOS Authentication Bypass

On October 6th, Fortinet sent an advance notice email to selected customers notifying them of CVE-2022-40684, a critical severity vulnerability (CVSS: 9.6) authentication bypass on the administrative interface of FortiOS / FortiProxy.

Affected versions and software include:

FortiOS version 7.2.0 through 7.2.1
FortiOS version 7.0.0 through 7.0.6
FortiProxy version 7.2.0
FortiProxy version 7.0.0 through 7.0.6
FortiSwitchManager version 7.2.0
FortiSwitchManager version 7.0.0

Mitigation steps and workarounds can be found at: https://www.fortiguard.com/psirt/FG-IR-22-377

How to track FortiOS Authentication Bypass Attempt

GreyNoise was contacted by Horizon3 for collaboration of their ongoing research into the FortiOS vulnerability. They graciously provided the necessary information needed to accurately tag this vulnerability.

GreyNoise users can track IPs attempting to exploit CVE-2022-40684 via:

https://viz.greynoise.io/tag/fortios-authentication-bypass-attempt?days=3

Users can also search for the vulnerabilities using GNQL by CVE –

cve:CVE-2022-40684

‍

or by tag name –

tags:”FortiOS Authentication Bypass Attempt”

What we know

As of October 13, GreyNoise has observed IPs attempting internet-wide exploitation of this vulnerability, with activity increasing quickly over the past 24 hours. We are aware of several Proof-Of-Concept (POC) code examples to exploit CVE-2022-40684 and expect related exploitative network activity to continue to increase now that these are publicly available.

‍

FortiOS handles API calls by proxying all requests to an interface that is only accessible internally. This internal interface is responsible for verifying authentication and authorization. Proxied requests contain some additional parameters which can be used by FortiOS to bypass or authenticate internal requests. This allows an attacker to masquerade as an internal system API call, bypassing authentication on all externally-facing API endpoints.

Horizon3 has demonstrated leveraging the exploit to achieve authenticated SSH access to vulnerable devices as well as a blog on relevant Indicators Of Compromise (IOCs):

Independent of any knowledge of Horizon3’s collaboration with GreyNoise, one of our engineers (Ian Ling) got curious and spent some time over the weekend researching the vulnerability, leading to successful exploitation with a slightly different methodology.

Authentication bypass in FortiOS / FortiProxy (CVE-2022-40684) is trivial to exploit and users should patch or employ mitigations immediately.

Recommended next steps

If you need to buy time under SLAs: use a block list and apply mitigations, check for presence of IOCs, and work towards upgrading software.

GreyNoise Research

Oct 12, 2022

Zero-Day Vulnerability – Microsoft Exchange

What we know

UPDATE 01-Oct-22: Microsoft Security Threat Intelligence released updated mitigation guidance through their blog. This is noted in the Mitigations section.

GreyNoise is investigating claims of multiple zero-day vulnerabilities in Microsoft Exchange Server, nicknamed ProxyNotShell.

Microsoft announced these are being tracked under the following CVEs:

The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability
The second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker

Microsoft has reserved CVEs, but details have been added to the MITRE database:

These vulnerabilities are also being tracked by Zero-Day Initiative (ZDI), who demonstrated the exploit on Twitter, under ZDI-CAN-18333 and ZDI-CAN-18802.

GreyNoise is currently monitoring for any activity matching indicators described in the original vulnerability write-up.

This vulnerability is similar to (but not the same as) ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).

How to track ProxyNotShell in GreyNoise

GreyNoise has released a single tag for tracking IPs checking for the presence of a vulnerability to ProxyNotShell:

Exchange ProxyNotShell Vuln Check

GreyNoise is actively monitoring for additional information needed to track and tag ProxyNotShell Vuln Attempts.

Users can also search for the vulnerabilities using GNQL by CVE -

cve:CVE-2022-41040 OR cve:CVE-2022-41082

‍

or by tag name -

tags:"Exchange ProxyNotShell Vuln Check"

‍

‍Please note that this tag is not the same as the tags for tracking for ProxyShell (2021):

What GreyNoise has observed

Additionally, the write-up authors note that they “detected exploit requests in IIS logs with the same format as ProxyShell vulnerability.” Using this information, GreyNoise researchers searched historical sensor records from 2021-01-01 to 2022-09-29 for Proxyshell-related backend paths. GreyNoise has not observed any new backend paths in use since 2021-08-27.

The GreyNoise Analyzer shows that four of the IOC IPs have been observed by GreyNoise:

‍

Of these, 104[.]244[.]79[.]6 and 185[.]220[.]101[.]182 are Tor exits:

GreyNoise did not observe any OWA-related traffic from them in the past year.

The other two IPs, 137[.]184[.]67[.]33, the C2, and 103[.]9[.]76[.]208 can be seen here:

At this time, GreyNoise has not observed anything believed to be related to the vulnerability from these IPs in the past year.

Ongoing Monitoring

Microsoft indicated that CVE-2022-41040 could enable an authenticated attacker to trigger CVE-2022-41082 remotely. This vulnerability is similar to the 2021 ProxyShell vulnerability, which involved fabricating an authentication token. At this time, we lack the information necessary to determine if “ProxyNotShell” leverages a similar authentication token leak.

Mitigations

Microsoft Security Threat Intelligence is releasing official up-to-date mitigation guidance through their blog.

Additionally, anyone can download the Blocklist for ‘Exchange ProxyNotShell Vuln Check’ to block at their firewall. For more information on how this works, please see GreyNoise documentation on Firewall Blocking with GreyNoise Trends.

There is currently no patch available for these vulnerabilities. We will update this blog with more information as it becomes available.

GreyNoise Research

Sep 30, 2022

Making sense of Zimbra

On April 20th, 2022, NVD published CVE-2022-27925, a vulnerability in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 that allowed an authenticated user with administrator rights to upload arbitrary files to the system, leading to directory traversal.

On August 10th, 2022, Volexity published a blog investigating CVE-2022-27925 and announcing their discovery of an authentication bypass. This bug was a result of an incomplete fix for CVE-2022-27925.

On August 12th, 2022, NVD published Volexity’s authentication bypass as CVE-2022-37042.

Attackers can chain CVE-2022-37042 and CVE-2022-27925 to bypass authentication and upload arbitrary files such as web shells, leading to remote code execution. As of August 18th, 2022, GreyNoise has observed these two exploits in the wild with varying parameters appended to their POST paths:

‍

*Images showing POST paths used for exploiting CVE-2022-37042 and CVE-2022-27925*

‍

At this time, GreyNoise has not validated which parameters are required for exploitation.

Most of these POST attempts contain a zip archive starting with the bytes “PK” (\x50\x4B) that deploys a JSP web shell to the following path:

These JSP files act as a backdoor that attackers can later access for remote code execution.

GreyNoise has observed two different JSP payloads. The first is a generic web shell that allows arbitrary command execution:

‍

*Generic web shell allowing arbitrary command execution*

‍

The second appears to only log the string “NcbWd0XGajaWS4DmOvZaCkxL1aPEXOZu” and delete itself:

‍

*Logging the string “NcbWd0XGajaWS4DmOvZaCkxL1aPEXOZu” followed by deletion*

‍

The following PoC produces a request similar to the one observed by GreyNoise:
https://github.com/GreyNoise-Intelligence/Zimbra_CVE-2022-37042-_CVE-2022-27925

GreyNoise tags for tracking and blocking this activity are live and available to all users:

Matthew Remacle

Aug 18, 2022

VMWare Workspace ONE vulnerabilities: CVE-2022-31656 and CVE-2022-31659

TL;DR on CVE-2022-31656 and CVE-2022-31659

On August 2, 2022, VMWare disclosed two vulnerabilities in VMWare Workspace ONE products:

CVE-2022-31656: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may obtain administrative access without needing to authenticate.
CVE-2022-31659: VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. A malicious actor with administrator and network access can trigger remote code execution.

VMWare has published patched versions of the products to remediate the vulnerabilities.

GreyNoise has created tags for tracking and blocking exploit activity on these CVEs that are live and available to all users:

We have not observed either of these CVEs being actively exploited in the wild, as of the publication date of this blog.

Disclosure Discussion

On August 2, 2022, Petrus Viet, the researcher responsible for disclosing the vulnerabilities to VMWare, tweeted a screenshot demonstrating successful exploitation of the CVE-2022-31656 authentication bypass, but did not include proof-of-concept (PoC) code).

Based on the screenshot, GreyNoise researchers speculate that Petrus’ work was based on the Horizon3 CVE-2022-22972 PoC , a similar authentication bypass discovered in May 2022.

*Figure 1: Comparison between Horizon3 CVE-2022-22972 PoC (left) to Petrus’ CVE-2022-31656 exploitation screenshot.*

‍

A blue teamer with a keen eye may note that the working directory for the CVE-2022-31656 exploit is “D:\Intellij\horizon”, perhaps hinting at Horizon3, in addition to several messages logged to the console that are similar to those from the Horizon3 CVE-2022-22972 PoC:

Extraction of “protected_state” from a WorkSpace ONE endpoint
A POST request to the auth endpoint
A resulting “HZN” cookie which is granted access to the workspace ONE application

The main difference appears to be where the “protected_state” is extracted. These similarities gave key hints to the paths in the application defenders should monitor for exploitation.

On August 9th, 2022, Petrus published a writeup ) for both vulnerabilities but did not provide any POC code. GreyNoise created tags for these CVEs based on paths from this writeup.

*Figure 2: Path for Authentication Bypass (CVE-2022-31656)*

‍

*Figure 3: Path for Remote Code Execution (CVE-2022-31659)*

‍

Mitigation Actions

GreyNoise tags for tracking and blocking this activity are live and available to all users:

VMware Workspace ONE Authentication Bypass CVE-2022-31656 Attempt

VMware Workspace ONE RCE CVE-2022-31659 Attempt

Until you can install the patched versions of these VMWare products, GreyNoise offers a temporary mitigation you can apply:

Block mass exploit IP addresses - GreyNoise is monitoring these CVEs for mass exploit activity, including curating a dynamic list of IP addresses attempting to exploit this vulnerability over the past 24 hours. You can use this IP list to block temporarily until you have had time to install a patched version. The IP addresses can be downloaded in several formats, including JSON, CSV, TXT files, as well as dynamically updated URLs for use with Palo Alto Networks, Cisco, and Fortinet firewalls. The IP lists are available at the links above.

The GreyNoise Team

Aug 9, 2022

Observed in the Wild: Atlassian Confluence Server CVE-2022-26134

TL;DR on CVE-2022-26134

GreyNoise Research is tracking the critical-rated zero-day vulnerability CVE-2022-26134 in our tag “Atlassian Confluence Server CVE-2022-26134 OGNL Injection Attempt”
This OGNL injection vulnerability allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance, and Confluence versions as old as 1.0.3 are vulnerable.
Atlassian released a security advisory for CVE-2022-26134 on 2-Jun-22.
As of 3-Jun-22, Atlassian has released patches and a temporary workaround to address the issue.
GreyNoise is currently observing a steady increase in the number of IPs attempting to exploit this vulnerability.
Due to the nature of disclosure and intensity of ongoing exploitation, GreyNoise advises to assume compromise.
Download the latest list of IPs trying to exploit this vulnerability here for use in analysis and temporary blocking

UPDATE: 8-Jun-22

Clustered CVE-2022-26134 Payloads as Observed by GreyNoise
GreyNoise has observed a number of variations of CVE-2022-26134 payloads with various intent. Shown below is a visualization of clusters of related payloads.
• IPs are removed from payloads for normalization
• Each node is a unique payload after normalization
• Each connection between nodes is when 2 nodes share a similarity score >85 using ssdeep
• Significantly dynamic payloads will not share similarity with other payloads and do not appear in the visual

‍

Vulnerability Overview - CVE-2022-26134

On 2-Jun-22, Atlassian released a security advisory to address a remote code execution vulnerability (CVE-2022-26134) affecting all supported versions of Confluence Server and Data Center products. An unauthenticated, remote attacker could exploit this vulnerability to execute code remotely. Atlassian reports that there is known exploitation of this vulnerability.

The zero-day vulnerability was initially discovered by cybersecurity firm Volexity. In a coordinated disclosure, Volexity explained that the vulnerability was discovered over the Memorial Day weekend while performing incident response. After conducting an investigation, Volexity could reproduce the exploit against the latest Confluence Server version and disclosed it to Atlassian on May 31st.

‍

"After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from an attacker launching an exploit to achieve remote code execution," explains a blog post by Volexity. "We were subsequently able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server."

‍

Confluence Security Advisory 2022-06-02 identifies which versions were affected, and the company has issued patches for the flaw, as well as recommended temporary workarounds until the fixes can be applied.

Cybersecurity firm Shodan has identified internet-facing Confluence systems in this search query:

https://www.shodan.io/search?query=http.favicon.hash%3A-305179312

Given the severity of the vulnerability and ease of exploitation, GreyNoise advises organizations to:

Apply mitigations or patch immediately on an emergency basis.
If you are unable to apply these mitigations, we recommend you restrict or disable Confluence Server and Confluence Data Center instances immediately.
Consider implementing IP address blocking rules against hosts actively attempting to exploit this vulnerability in the wild.

Observed In The Wild

GreyNoise Trends for Atlassian Confluence Server CVE-2022-26134 OGNL Injection Attempt:

https://viz.greynoise.io/tag/atlassian-confluence-server-cve-2022-26134-ognl-injection-attempt

As of 6-Jun-22 at 7:00 pm UTC, GreyNoise has observed over 850 unique IP addresses attempting to exploit the Atlassian Confluence Server OGNL Injection Attempt vulnerability, CVE-2022-26134.

Below are a set of observations from the GreyNoise Research team based on the mass exploitation activity for this CVE that we’ve captured via our passive global sensor network:

Scale of attacks

Around a third of GreyNoise sensors have been hit with this attack by a rising number of IP addresses. We have identified over 800 unique IPs in the first week of public proof of concept release, which makes this vulnerability in line with CVE-2021-44228 Apache Log4J exploitation traffic. The potential source of this large number of unique source IPs is the ease of exploitation mixed with the high-value target of Atlassian Confluence databases. The value of these databases is due to Confluence customers potentially storing important information like secrets, passwords, and proprietary knowledge in this documentation platform.

Source of attacks

Most exploit attempts have originated outside of VPNs or TOR exit nodes.

Normally malicious attackers primarily use anonymizers, but GreyNoise sensors are seeing a small amount of TOR traffic in comparison to VPN or non-anonymized traffic.
Attackers that are utilizing VPN are largely using Nord VPN.

90% of requests match the current Rapid7 PoC parameters. This includes reference to a Java package and setting the X-Cmd-Response header.

Exploitation techniques

Below is a running list of various exploitation techniques seen by GreyNoise researchers:

5% of our current sample includes ‘nslookup’ queries.
Most of the websites requested use generated subdomain prefixes; these are the apex domains:

Destructive attacks that include sudo rm -rf -no-preserve-root

Attempts to download and remove custom scripts.
Utilization of the Nashorn Java class recommended for exploration in the Rapid7 blog post.
Potentially “undetectable” initial access indicators. Includes commands like math evaluation, setting special X-headers for the response (X-FOI-TEST, X-Hax, X-Vul=True).

Admin user creation attempts. Administrative users could be used for later access, but the current commands seen for this did not have any response vector set to indicate success.

Under 1% of our current sample has Windows-related attempts. These attempts include PowerShell commands that download files that are no longer accessible, running cmd, dir commands.

Lots of bash shells. These just include wgets and reverse shell attempts so far.

Old friends: Mirai and Saru botnet additions. XMRig proliferation.
Classic indicators of initial access orienteering - whoami, dir, cat, hostname, ls -l.
Obfuscation techniques, such as putting the whole request in URL encoding:

Base64 encoding generic commands
A very creative [“cl"+"ass"].forName("jav"+"ax.sc"+"ript.S"+"criptEngineManager"

And naturally, people who have no idea what the hell they are doing.

Indicators of Compromise

The GreyNoise Trends tag, Atlassian Confluence Server CVE-2022-26134 OGNL Injection Attempt, provides a downloadable list of all the IP addresses observed attempting to mass exploit CVE-2022-26134 in the past 24 hours.

Mitigation Actions

Patch

Atlassian has released patched versions of Confluence Server & Data Center and recommends upgrading to the latest Long Term Support release.

Mitigation prior to patching

Until you can install the patched version of Confluence, there are several temporary mitigations you can apply:

Update specific files for specific versions of the product - For organizations unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the CVE-2022-26134 issue by updating a specific set of .jar files identified in Confluence Security Advisory 2022-06-02.
Block mass exploit IP addresses - GreyNoise identifies a list of IP addresses attempting to exploit this Confluence vulnerability in the past 24 hours that you can block temporarily until you have had time to install a patched version. The IP addresses can be downloaded from GreyNoise Trends for Atlassian Confluence Server CVE-2022-26134 OGNL Injection Attempt in several formats, including JSON, CSV, TXT files, as well as dynamically updated URLs for use with Palo Alto Networks, Cisco, and Fortinet firewalls.

Note - Disabling anonymous access does not provide sufficient means to mitigate this vulnerability. link

Additional Information

The GreyNoise Team

Jun 6, 2022

Observed in the Wild: F5 BIG-IP CVE-2022-1388

TL;DR

As of 14-May-22, GreyNoise has observed 173 unique IP addresses attempting to exploit the F5 BIG-IP iControl REST Authentication bypass vulnerability in the wild.
GreyNoise Trends exploit activity observed in the wild for CVE-2022-1388
Observed exploit techniques include a large number of file requests, credential stuffing, and admin user creation.
Download the latest list of IPs trying to exploit this vulnerability here for use in analysis and temporary blocking

Vulnerability Overview - CVE-2022-1388

On 4-May-22, F5 Networks issued Security Advisory K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388, which allows an unauthenticated attacker to take control of an affected system. According to NIST’s National Vulnerability Database, CVE-2022-1388 carries a CVSS score of 9.8 CRITICAL out of 10.

"This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services," F5 said in an advisory. "There is no data plane exposure; this is a control plane issue only."

The F5 Security Advisory identifies which versions are affected, and the company has issued patches for the flaw, as well as recommended temporary workarounds until the fixes can be applied.

As of May 8, 2022, a number of security researchers started sharing evidence of their successful exploitation attempts:

Given the severity of the vulnerability and ease of exploitation, GreyNoise advises organizations to apply mitigations or patch immediately.

Observed In The Wild

GreyNoise Trends for F5 BIG-IP iControl REST Authentication Bypass:

https://viz.greynoise.io/tag/f5-big-ip-icontrol-rest-authentication-bypass

As of 14-May-22, GreyNoise has observed 173 unique IP addresses attempting to exploit the F5 BIG-IP iControl REST Authentication bypass vulnerability, CVE-2022-1388.

‍

Below are a set of observations from the GreyNoise Research team based on the mass exploitation activity for this CVE that we’ve captured via our passive global sensor network: