CVE-2024-21793 and CVE-2024-26026 Detection: Exploitation of Critical F5 Central Manager Vulnerabilities Can Lead to Full System Compromise

Defenders have disclosed critical cybersecurity issues in F5’s Next Central Manager, which are tracked as CVE-2024-21793 and CVE-2024-26026, giving potential adversaries the green light to seize control over the impacted installation. Upon successful exploitation, hackers can create accounts on any F5 assets to establish persistence and perform further malicious activities.

Detecting CVE-2024-21793 & CVE-2024-26026 Exploits

The latest critical flaws revealed in F5’s Next Central Manager pose a great menace to cyber defenders globally, as potential consequences of in-the-wild exploitation might be devastating. With 49 out of Fortune 50 companies and 85% of Fortune 500 businesses relying on F5’s enterprise networking infrastructure, it is vital to spot malicious activity on time and defend proactively. SOC Prime Platform for collective cyber defense offers a set of curated Sigma rules to detect possible exploitation attempts for CVE-2024-21793 and CVE-2024-26026. 

All the rules are compatible with 30+ SIEM, EDR, and Data Lake platforms and mapped to MITRE ATT&CK® v14.1. To smooth out threat investigation, detections are enriched with relevant CTI links, ATT&CK references, and other useful metadata. Just hit the Explore Detections button below and immediately drill down to a dedicated rule set.

Explore Detections

To boost threat hunting efficiency and secure organizational infrastructure, cyber defenders can dive into the entire detection stack aimed at vulnerability exploit detection. By browsing Threat Detection Marketplace with “CVE” tag, security professionals might explore 1,200+ curated Sigma rules, with new detections for trending threats added under a 24-hour SLA. 

CVE-2024-21793 and CVE-2024-26026 Analysys

Eclypsium inquiry unveils two security bugs in F5’s Next Central Manager, enabling adversaries to reach full device takeover. Following successful exploitation, accounts under attacker control persist invisibly within the Next Central Manager interface, facilitating ongoing malicious activities within the compromised system. 

CVE-2024-21793 is an OData injection vulnerability, while another recently identified flaw in the BIG-IP Next Central Manager API is an SQL injection issue tracked as CVE-2024-26026. By weaponizing CVE-2024-21793, hackers can extract sensitive data, thereby escalating their privileges. This particular security flaw manifests only when LDAP is enabled. As for CVE-2024-26026, the flaw appears in any device configuration, facilitating its exploitation directly to evade authentication measures. Both flaws reach the CVSS score of 7.5 and enable unauthenticated parties to perform harmful SQL statements.

The issues in the spotlight affect Next Central Manager versions ranging from 20.0.1 to 20.1.0. As for CVE-2024-21793 and CVE-2024-26026 mitigation measures, the vendor strongly recommends that F5 clients upgrade to the latest software version 20.2.0, which addresses the issues. 

As popular solutions like F5 BIG-IP are highly coveted targets for attackers, defenders should remain exceptionally vigilant and ultra-responsive. It’s highly recommended for organizations to apply stringent access controls following zero-trust principles. Rely on SOC Prime Platform for collective cyber defense based on global threat intelligence, crowdsourcing, zero-trust, and AI to address any cyber attack or emerging threat in under 24 hours and strengthen your cybersecurity posture.