CVE-2021-23026: 
F5 BIG-IP Advanced Firewall Manager vulnerability analysis and mitigation

CVE-2021-23026 is a cross-site request forgery (CSRF) vulnerability affecting F5's BIG-IP and BIG-IQ devices through iControl SOAP. The vulnerability affects BIG-IP versions 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x and 11.6.x, as well as BIG-IQ versions 8.x, 7.x, and 6.x. The vulnerability was disclosed in August 2021 (Hacker News).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Under CVSS v2.0, it received a score of 6.8 (MEDIUM) with the vector (AV:N/AC:M/Au:N/C:P/I:P/A:P). The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD).

When successfully exploited, this CSRF vulnerability could allow attackers to perform unauthorized actions through the iControl SOAP interface. The high CVSS score indicates potential severe impacts on confidentiality, integrity, and availability of the affected systems (Bleeping Computer).

F5 has released patches to address this vulnerability in versions 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, and 13.1.4.1. Organizations using affected versions should upgrade to the patched versions. For BIG-IQ systems, users should upgrade to newer versions as no direct patches were provided for the affected versions (Bleeping Computer).

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a notification about the vulnerability, encouraging users and administrators to review F5's security advisory and implement the necessary updates or mitigations (Bleeping Computer).