What is CVE-2021-22991?

CVE-2021-22991 exposes F5 BIG-IP products to a critical buffer overflow vulnerability. Attackers could exploit this to achieve remote code execution or denial of service. Immediate patching is essential.

What is the severity of CVE-2021-22991?

CVE-2021-22991 has a severity rating of CRITICAL with a CVSS base score of 9.8.

Is CVE-2021-22991 in CISA KEV?

Yes. CVE-2021-22991 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

CVE-2021-22991 | Critical Vulnerability in F5 BIG-IP Traffic Management Microkernel

CVE-2021-22991 is a critical vulnerability found in F5's BIG-IP Traffic Management Microkernel (TMM). This vulnerability allows for incorrect handling of undisclosed requests to a virtual server. Specifically, on affected versions of BIG-IP, this can trigger a buffer overflow, potentially leading to a denial of service (DoS) attack. In some scenarios, it may also allow attackers to bypass URL-based access controls or execute arbitrary code remotely.

With a CVSS score of 9.8, this vulnerability is categorized as critical. The severe impact on confidentiality, integrity, and availability necessitates immediate action from organizations using the affected F5 products.

This vulnerability impacts several versions of F5 BIG-IP, specifically those prior to the specified patch versions. Therefore, organizations should prioritize updating their systems to mitigate this risk.

Given the potential for exploitation, organizations must act swiftly to apply the necessary patches, as exploitation is not theoretical and could lead to significant operational disruptions.

Vulnerability Details

The official description of this vulnerability states that on BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3, undisclosed requests to a virtual server may be incorrectly handled by the Traffic Management Microkernel (TMM) URI normalization, potentially leading to a buffer overflow.

The vulnerability is classified under CWE-119, indicating a buffer overflow issue. Organizations are urged to review their deployments for affected versions and take immediate corrective actions.

Technical Analysis

The root cause of CVE-2021-22991 lies in the improper handling of requests by the Traffic Management Microkernel. The attack vector is primarily network-based, with low complexity required to exploit this vulnerability. Importantly, no user interaction is needed, and no privileges are required to initiate the attack.

If exploited, the impacts on confidentiality, integrity, and availability are all rated as high. This means that attackers could potentially gain unauthorized access to sensitive information, alter this information, and disrupt service availability.

Risk & Impact Analysis

Risk to organizations includes potential data breaches, service disruptions, and loss of operational control. The criticality of this vulnerability, combined with its ease of exploitation, means that organizations must assess their exposure and respond appropriately.

The urgency for patching is elevated, as the vulnerability is included in the Known Exploited Vulnerabilities (KEV) catalog, indicating that exploitation is actively occurring in the wild. Organizations should prioritize this in their patch cycles to prevent potential breaches.

Signal	Status
Known Exploit	Yes
Public PoC	No
Actively Exploited	Yes
Ransomware Use	No

Affected Versions

All versions of F5 BIG-IP prior to the following patches are affected: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, and 12.1.5.3.

Mitigation & Remediation

Organizations should prioritize applying the recommended patches immediately to mitigate the risk associated with this vulnerability. Refer to the vendor advisory for detailed instructions.

Detection Guidance

To detect potential exploitation attempts, organizations should monitor logs for any anomalous request patterns directed at virtual servers, particularly those that may indicate attempts to trigger buffer overflows.

AppSecure Threat Intelligence Insight

CVE-2021-22991 exemplifies the critical nature of buffer overflow vulnerabilities in network-facing products. Organizations must remain vigilant and ensure timely updates to safeguard against these threats. Engaging in proactive security measures such as regular penetration testing can help identify vulnerabilities before they can be exploited.

This incident underscores the importance of a robust vulnerability management program. Security teams should consider reviewing their security posture against similar vulnerabilities regularly and prioritize training and awareness for developers and operations teams.

For further guidance on improving application security, organizations can refer to best practices outlined in our resources.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2021-22991: Critical Vulnerability in F5 BIG-IP Traffic Management Microkernel