May 8, 2024 By Sergiu Gatlan
F5 has fixed two high-severity BIG-IP Next Central Manager vulnerabilities, which can be exploited to gain admin control and create hidden rogue accounts on any managed assets.
Next Central Manager allows administrators to control on-premises or cloud BIG-IP Next instances and services via a unified management user interface.
The flaws are an SQL injection vulnerability (CVE-2024-26026) and an OData injection vulnerability (CVE-2024-21793) found in the BIG-IP Next Central Manager API that would allow unauthenticated attackers to execute malicious SQL statements on unpatched devices remotely.
SQL injection attacks involve injecting malicious SQL queries into input fields or parameters in database queries. This exploits vulnerabilities in the application's security and allows unintended SQL commands to execute, resulting in unauthorized access, data breaches, and system takeovers.