Rapid7 disclosed Remote Code Execution vulnerability in F5 BIG-IP and iControl REST

Yesterday repid7 discovered many vulnerability in F5 BIG-IP and BIG-IQ devices running with its own CentOS version and affected the following product
CVE-2022-41622: BIG-IP and BIG-IQ are vulnerable to unauthenticated remote code execution via cross-site request forgery (CSRF)
CVE-2022-41800: Appliance mode iControl REST is vulnerable to authenticated remote code execution via RPM spec injection

F5, Inc. is an American technology company specializing in application security, multi-cloud management, online fraud prevention, application delivery networking (ADN), application availability & performance, network security, and access & authorization
F5's originally offered application delivery controller (ADC) technology, but expanded into application layer, automation, multi-cloud, and security services. As ransomware, data leaks, DDoS, and other attacks on businesses of all sizes are arising, companies such as F5 have continued to reinvent themselves. While the majority of F5's revenue continues to be attributed to their hardware products such as the BIG-IP iSeries systems, the company has begun to offer additional modules on their proprietary operating system, TMOS (Traffic Management Operating System.)
"We believe that widespread exploitation of the issues in this disclosure is unlikely. That being said, by successfully exploiting the worst of the vulnerabilities (CVE-2022-41622), an attacker could gain persistent root access to the device's management interface (even if the management interface is not internet-facing). However, that would require a confluence of factors to actually be exploitable (an administrator with an active session would need to visit a hostile website, and an attacker would have to have some knowledge of the target network).

Most of the remaining vulnerabilities are relatively minor, and require the attacker to already have some level of access to the target device. They are more likely to be leveraged as part of an exploit chain to exacerbate more serious vulnerabilities.

At time of publishing, F5 was not aware of any exploitation of these vulnerabilities." Repid7 mention in its post
These vulnerabilities were discovered and documented by Ron Bowes, Lead Security Researcher at Rapid7. They are being disclosed in accordance with Rapid7’s vulnerability disclosure policy.