CVE-2015-8611

Vulnerability

BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, and PEM version 12.0.0 (prior to HF1) running on the 2000, 4000, 5000, 7000, and 10000 platforms do not properly sync passwords with the Always-On Management (AOM) subsystem [1]. This flaw means that even after an administrator changes the main system password, the AOM may retain the old or default password, leaving an authentication bypass vector open.

Exploitation

An attacker with network access to the AOM interface can attempt login using either an expired password that was previously set on the system or the default password that shipped with the platform. No authentication credentials beyond those guesses are required, and no user interaction on the target is needed [1].

Impact

Successful exploitation grants the attacker login access to the AOM subsystem, which operates independently of the main operating system and provides low-level management capabilities. This can lead to full compromise of the BIG-IP device's management plane, allowing an attacker to alter configuration, disrupt services, or maintain persistent access [1].

Mitigation

F5 released BIG-IP 12.0.0 HF1 to address this issue [1]. Administrators should upgrade to the fixed version immediately. If upgrading is not possible, restricting network access to the AOM interface via firewall rules or IP allow lists can reduce the attack surface. No other workarounds are documented in the available reference [1].