#VU96041 Overly restrictive account lockout mechanism in BIG-IP Next Central Manager - CVE-2024-37028

Cybersecurity Help s.r.o.

Published: 2024-08-15

Vulnerability identifier: #VU96041

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-37028

CWE-ID: CWE-645

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
BIG-IP Next Central Manager
Web applications / Remote management & hosting panels

Vendor: F5 Networks

Description

The vulnerability allows a remote attacker to lock out other users.

The vulnerability exists due to usage of an overly restrictive account lockout mechanism in the webUI. A remote attacker can send specially crafted requests and lock out an account that has never been logged in.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

BIG-IP Next Central Manager: 20.0.0 - 20.2.0

External links
https://my.f5.com/manage/s/article/K000139938

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Overly restrictive account lockout mechanism in F5 BIG-IP Next Central Manager webUI