Deserialization of Untrusted Data in F5 BIG-IP DNS

Published: 2022-08-05
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-33947
Exploitation vector Network
Public exploit N/A
Vulnerable software
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor F5 Networks, Inc.

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Deserialization of Untrusted Data

EUVDB-ID: #VU66145

Risk: Medium


CVE-ID: CVE-2022-33947

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insecure input validation when processing serialized data in the Traffic Management User Interface (TMUI). A remote user can cause the Tomcat process to restart and perform unauthorized DNS requests and operations through undisclosed requests.


Install updates from vendor's website.

Vulnerable software versions

BIG-IP DNS: 13.1.0 - 16.1.2

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?