Two critical security vulnerabilities have been identified in the F5 Next Central Manager, posing significant threats to organizations using this network management device. The vulnerabilities, CVE-2024-21793 and CVE-2024-26026, are SQL and OData injection flaws that allow an unauthenticated attacker to execute malicious SQL statements through the BIG-IP Next Central Manager API. These flaws could enable attackers to gain full administrative control over the devices and manage all F5 assets through the compromised system.
The impact of exploiting these vulnerabilities extends beyond initial unauthorized access. Attackers can leverage this access to create hidden rogue administrator accounts, ensuring their persistence within the network even after initial security measures like password resets and system patches are applied. This hidden access is facilitated by an SSRF vulnerability that allows attackers to call an undocumented API to create these accounts undetected.
Eclypsium, the security firm that reported these vulnerabilities, also uncovered additional weaknesses in the system. These include vulnerabilities that could allow brute force attacks against administrative passwords and enable password resets without the need for current password verification. These security gaps could potentially allow attackers to lock out legitimate users, further compromising the security of the network.
While there have been no reports of these vulnerabilities being actively exploited in the wild, their existence within such critical infrastructure highlights the need for immediate updates and ongoing vigilance. F5 has addressed these issues in version 20.2.0 of Next Central Manager, and users are strongly encouraged to update their systems to this latest release to mitigate potential threats. This situation underscores the broader security challenges faced by networking and application infrastructure, which are increasingly targeted by attackers seeking to exploit highly privileged systems.
