Skip to content

5 vulnerabilities in F5’s Central Manager allow account takeover

  • by
  • 3 min read

Five security vulnerabilities have been detected in F5’s Next Central Manager, which could significantly jeopardise network security. The vulnerabilities could allow hackers to gain complete administrative control over the device and establish stealthy accounts on managed assets if exploited. While the company has acknowledged two vulnerabilities, CVE-2024-21793 and CVE-2024-26026, the other three remain undisclosed.

The two critical CVEs allow attackers to access the administrative user interface remotely, bypass authentication mechanisms, and gain complete administrative privileges over the Central Manager. This level of access enables attackers to create new accounts on any managed asset, infiltrating the network with stealthy, unauthorised accounts that go unnoticed by the Central Manager’s monitoring systems.

Attackers can exploit these vulnerabilities by executing remote code, injecting malicious queries into OData filters, and manipulating device configurations through SQL injection attacks. These techniques grant unauthorised access and facilitate the creation of hidden accounts that remain undetected within the system, providing attackers with persistent access and control.

Source: Eclypsium

In addition to the identified CVEs, researchers uncovered several other security risks within F5’s Next Central Manager:

  • Undocumented API for SSRF attacks: An undocumented API allows attackers to perform server-side request forgery (SSRF) attacks, enabling them to call API methods on managed devices and create covert accounts outside the Central Manager’s visibility. This means that even if the system administrator resets the admin password in the Central Manager and patches the system, attackers’ access can persist.
  • Inadequate password hashing: The Central Manager’s use of bcrypt with a low-cost factor of 6 facilitates brute-force attacks on administrative passwords, potentially leading to unauthorised account access. A cost of 6 is considered low by modern standards, meaning it doesn’t require much computational power to hash passwords. As a result, attackers with sufficient resources (in this case, researchers estimate this to be somewhere between $40,000 to $50,000) can use specialised hardware or cloud computing services to attempt millions of password combinations per second, increasing the likelihood of successfully cracking hashed passwords through brute force.
  • Authentication bypass: A critical flaw allows unauthenticated administrators to reset their passwords without prior knowledge of the current password, paving the way for account takeover and denial-of-service attacks.

“These weaknesses can be used in a variety of potential attack paths. At a high level, attackers can remotely exploit the UI to gain administrative control of the Central Manager. Change passwords for accounts on the Central Manager. But most importantly, attackers could create hidden accounts on any downstream device controlled by the Central Manager,” the researchers said.

F5 has addressed these vulnerabilities by launching software version 20.2.0, which includes solutions for the identified CVEs. However, the other three flaws remain unfixed. Researchers have recommended organisations promptly upgrade to the most recent version to reduce the risk of exploitation. Furthermore, enhancing security measures such as strict access controls, routine security assessment, and adopting zero-trust principles can significantly improve the overall security stance of network infrastructure.

In the News: Pixel 8a vs 8 vs 7a: Best entry to the Pixel lineup?

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: