Critical Flaws Found in F5 BIG-IP: WAF Crash and Admin UI Spoofing Risks Expose Enterprises to Disruption

Aegiron 9 mins0

Product Details

  • Product: F5 BIG-IP
  • Affected Modules: Advanced WAF / ASM
  • Component: bd (Behavioral Detection / policy enforcement process)
  • Attack Vector: Network
  • Authentication Required: No
  • User Interaction: No

Vulnerability Overview

A denial-of-service condition exists in the BIG-IP Advanced WAF / ASM module when a security policy is actively enforced on a virtual server. Under specific and uncommon timing conditions, the internal bd process may terminate unexpectedly.

The issue originates from improper synchronization during concurrent request processing. When multiple requests are handled simultaneously, certain execution paths may collide, resulting in a race condition. Once triggered, the bd process crashes, causing security policy enforcement to stop and, in some cases, interrupting traffic handling on the affected virtual server.

While the BIG-IP system itself does not reboot, the termination of the bd process results in loss of WAF protection and potential service instability until the process is automatically restarted or the device is manually intervened.

Impact

  • Denial of service against protected applications
  • Temporary loss of WAF / ASM protection
  • Potential repeated crashes if attack traffic continues
  • No evidence of code execution or data disclosure

Exploitation Details (Educational)

Exploitation is achieved remotely by sending a sequence of specially crafted HTTP requests designed to hit a narrow timing window. The requests must arrive concurrently and in sufficient volume to force unsafe execution ordering inside the policy enforcement logic.

Because exploitation relies on timing rather than malformed syntax alone, reliable weaponization is considered non-trivial. However, automated tooling or high-concurrency traffic generators significantly increase the likelihood of success.

No authentication is required, and the attack can be launched from any network location capable of reaching the virtual server protected by Advanced WAF or ASM.

Proof of Concept / Exploit Availability

  • No publicly released proof-of-concept code is currently available.
  • No reliable weaponized exploit has been observed in public repositories.
  • Exploitation feasibility remains realistic for skilled attackers using concurrency-based request flooding.
  • Information is provided strictly for defensive and educational purposes.

Detection and Monitoring

Log Sources

  • BIG-IP system logs (/var/log/messages)
  • LTM logs (/var/log/ltm)
  • ASM / Advanced WAF logs
  • Process monitoring / watchdog alerts
  • Web access logs for affected virtual servers

Indicators of Compromise

  • Unexpected termination or restart of the bd process
  • Repeated log entries indicating segmentation faults or killed processes
  • Sudden loss of WAF enforcement without configuration changes
  • High-volume concurrent requests immediately preceding a crash

Detection Queries

Process Crash Detection (BIG-IP syslog)

grep -Ei "bd.*(terminated|segfault|killed|core dumped)" /var/log/messages*

Correlation: Request Spike Before Crash

index=bigip_logs sourcetype=syslog "bd" ("terminated" OR "segfault")
| join host [
  search index=bigip_logs sourcetype=access_logs
  | stats count by src_ip, virtual_server, _time
]
| where count > 100

Repeated bd Restarts

grep -i "Starting bd" /var/log/messages* | wc -l

An unusually high restart count within a short timeframe should be treated as suspicious.

Mitigation

  • Upgrade to a fixed BIG-IP version as provided by F5
  • Ensure Advanced WAF / ASM policies are updated post-upgrade
  • Monitor bd process stability after patching
  • Rate-limit excessive concurrent requests where feasible

Official Patch / Upgrade Link

CVE-2026-20732

BIG-IP Configuration Utility — UI Spoofing (Administrative Deception)

Product Details

  • Product: F5 BIG-IP
  • Component: Configuration Utility (TMUI)
  • Attack Vector: Network
  • Authentication Required: Yes
  • User Interaction: Required (Administrator)

Vulnerability Overview

A user interface spoofing vulnerability exists within the BIG-IP Configuration Utility. Under specific conditions, crafted input can cause misleading or spoofed error messages to be displayed within the administrative interface.

The vulnerability does not alter backend configuration directly. Instead, it impacts how information is rendered to authenticated administrators. As a result, administrators may be deceived into believing that an error or warning originated from the system itself when it did not.

This vulnerability primarily affects trust in the management interface rather than system integrity.

Impact

  • Administrative deception
  • Potential misconfiguration due to misleading UI messages
  • Increased risk of social-engineering-assisted attacks
  • No direct privilege escalation or code execution

Exploitation Details (Educational)

Exploitation requires an authenticated administrator to access a specially crafted URL while logged into the Configuration Utility. The crafted request manipulates how messages are rendered, resulting in false system notifications.

The attacker must first convince an administrator to click or visit the malicious link. This makes the vulnerability unsuitable for automated exploitation but relevant in targeted or phishing-based attack scenarios.

Proof of Concept / Exploit Availability

  • No public proof-of-concept code is available.
  • No active exploitation has been observed.
  • Exploitation remains plausible in targeted attacks involving social engineering.
  • Details are provided strictly for defensive awareness.

Detection and Monitoring

Log Sources

  • BIG-IP Configuration Utility access logs
  • Authentication and session logs
  • Audit logs for administrative actions

Indicators of Suspicious Activity

  • Management UI requests containing unexpected parameters
  • External referrers accessing the admin interface
  • Administrative actions immediately following unusual page loads

Detection Queries

Suspicious Admin UI Access

index=bigip_logs sourcetype=tmui_access
| search uri="/tmui/*"
| search uri="*?*"
| stats count by src_ip, uri, user

Admin Action Following Unusual Page Load

index=bigip_logs
| transaction user maxspan=2m
| search uri="/tmui/*" AND (config_change=true)

External Referrer Detection

index=bigip_logs sourcetype=tmui_access
| where NOT like(referer, "%internal-domain%")

Mitigation

  • Upgrade BIG-IP to a fixed version
  • Restrict access to the Configuration Utility to trusted networks only
  • Enforce multi-factor authentication for administrators
  • Educate administrators to distrust unexpected error messages and verify actions independently

Official Patch / Upgrade Link

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.