What is CVE-2022-41787?

A high-severity vulnerability in F5 BIG-IP DNS can lead to TMM termination under specific conditions. Organizations must address this issue to avoid potential downtime.

What is the severity of CVE-2022-41787?

CVE-2022-41787 has a severity rating of HIGH with a CVSS base score of 7.5.

CVE-2022-41787 | High Vulnerability in F5 BIG-IP

CVE-2022-41787 is a high-severity vulnerability affecting F5 BIG-IP. This vulnerability allows undisclosed DNS queries with DNSSEC to terminate the Traffic Management Microkernel (TMM) when the DNS profile is configured on a virtual server with DNS Express enabled. Organizations using versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1 are at risk.

The CVSS score of 7.5 indicates a high severity level, signifying the potential for significant impact on availability. This means that successful exploitation could lead to unexpected service disruptions.

Risk to organizations includes downtime and possible data loss, making it imperative for affected entities to take action. Organizations should prioritize patching immediately.

Currently, there are no known exploits or public proofs of concept available for this vulnerability, but organizations should remain vigilant.

F5 has published remediation steps, which are essential for mitigating this vulnerability effectively.

Vulnerability Details

The vulnerability is classified under CWE-476, which indicates a null pointer dereference. The potential impact is primarily on the availability of the service provided by the affected BIG-IP versions.

The affected products include the BIG-IP Domain Name System and BIG-IP Local Traffic Manager. The vulnerability exists in multiple versions of these products, necessitating immediate attention from organizations using them.

F5's advisory provides detailed information about the specific versions vulnerable and the necessary patches to resolve this issue.

Technical Analysis

The root cause of CVE-2022-41787 stems from improper handling of DNS queries when DNSSEC is enabled. The attack vector is network-based, meaning that attackers do not need physical access to the system to exploit this vulnerability.

The attack complexity is classified as low, indicating that an attacker can exploit this vulnerability without needing to overcome significant barriers. No user interaction is required, making it easier for attackers to leverage this vulnerability.

In terms of impact, the availability is significantly affected, as the TMM termination leads to service outages. There is no impact on confidentiality or integrity, as the vulnerability does not expose or alter data.

Risk & Impact Analysis

Deployment of the affected F5 BIG-IP products in production environments poses a considerable risk. Organizations relying on these systems for critical operations face potential service disruptions, which could lead to financial losses and reputational damage.

The blast radius of this vulnerability is broad, as it affects multiple versions across different F5 components. Organizations need to assess their deployment strategies and ensure that they are running supported versions.

Given the CVSS score and the potential for availability impact, organizations should address this vulnerability in their priority patch cycle.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The following versions of F5 BIG-IP are affected by CVE-2022-41787: 17.0.x before 17.0.0.1, 16.1.x before 16.1.3.1, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5.1, and 13.1.x before 13.1.5.1.

Mitigation & Remediation

F5 has provided patches for each affected version. Organizations should update to the latest version to remediate this vulnerability.

If immediate patching is not feasible, organizations may consider implementing network controls to limit exposure to potentially harmful DNS queries.

Penetration testing can also help identify any existing vulnerabilities and validate the effectiveness of your remediation efforts.

Detection Guidance

Organizations should monitor logs for unusual DNS query patterns that may indicate attempts to exploit this vulnerability. Additionally, behavioral anomalies in TMM operations could signify an ongoing exploitation attempt.

AppSecure Threat Intelligence Insight

CVE-2022-41787 reflects a growing trend of vulnerabilities in network services. Security teams should take this opportunity to review their security posture, especially related to DNS configurations.

As network services continue to evolve, understanding the implications of such vulnerabilities will be crucial for maintaining robust defenses.

For further information on vulnerability management, organizations can refer to our vulnerability management program design guide.

This vulnerability is a reminder of the importance of regular security assessments and the need for organizations to stay informed about the latest threats.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2022-41787: High Vulnerability in F5 BIG-IP