CVE-2024-28883 - Vulnerability Details - OpenCVE

An origin validation vulnerability exists in

BIG-IP APM browser network access VPN client

for Windows, macOS and Linux which may allow an attacker to bypass F5 endpoint inspection.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00049.

Key SSVC decision points have not yet been added.

Vendors	Products
F5	Big-ip Access Policy Manager Big-ip Access Policy Manager Client Big-ip Apm

Configuration 1 [-]

OR	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_access_policy_manager::::::::
	cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0:::::::*
	cpe:2.3:a:f5:big-ip_access_policy_manager_client::::::::

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
F5	Big-ip Apm

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://my.f5.com/manage/s/article/K000138744

History

Wed, 06 Aug 2025 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		F5 big-ip Access Policy Manager F5 big-ip Access Policy Manager Client
CPEs		cpe:2.3:a:f5:big-ip_access_policy_manager:::::::: cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0:::::::* cpe:2.3:a:f5:big-ip_access_policy_manager_client::::::::
Vendors & Products		F5 big-ip Access Policy Manager F5 big-ip Access Policy Manager Client

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00017}`	epss `{'score': 0.00022}`

MITRE

Status: PUBLISHED

Assigner: f5

Published: 2024-05-08T15:01:24.931Z

Updated: 2024-08-02T01:03:50.247Z

Reserved: 2024-04-24T21:34:20.645Z

Link: CVE-2024-28883

Vulnrichment

Updated: 2024-08-02T01:03:50.247Z

NVD

Status : Analyzed

Published: 2024-05-08T15:15:09.380

Modified: 2025-08-06T15:56:39.557

Link: CVE-2024-28883

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-07-13T11:22:28Z

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28883", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2024-04-24T21:34:20.645Z", "datePublished": "2024-05-08T15:01:24.931Z", "dateUpdated": "2024-08-02T01:03:50.247Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "platforms": ["Windows", "Linux", "MacOS"], "product": "BIG-IP Edge Client", "vendor": "F5", "versions": [{"lessThan": "7.2.4.4", "status": "affected", "version": "7.2.3", "versionType": "custom"}]}, {"defaultStatus": "unknown", "modules": ["APM"], "product": "BIG-IP", "vendor": "F5", "versions": [{"lessThan": "17.1.1", "status": "affected", "version": "17.1.0", "versionType": "custom"}, {"lessThan": "16.1.4.2", "status": "affected", "version": "16.1.0", "versionType": "custom"}, {"lessThan": "15.1.10.3", "status": "affected", "version": "15.1.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "F5"}], "datePublic": "2024-05-08T14:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An origin validation vulnerability exists in \n\n<span style=\"background-color: rgb(255, 255, 255);\">BIG-IP APM browser network access VPN client </span>\n\n\n\n for Windows, macOS and Linux which may allow an attacker to bypass F5 endpoint inspection. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "value": "An origin validation vulnerability exists in \n\nBIG-IP APM browser network access VPN client \n\n\n\n for Windows, macOS and Linux which may allow an attacker to bypass F5 endpoint inspection. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "description": "CWE-346 Origin Validation Error", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2024-05-08T15:01:24.931Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://my.f5.com/manage/s/article/K000138744"}], "source": {"discovery": "INTERNAL"}, "title": "BIG-IP APM browser network access VPN client vulnerability", "x_generator": {"engine": "F5 SIRTBot v1.0"}}, "adp": [{"affected": [{"vendor": "f5", "product": "big-ip", "cpes": ["cpe:2.3:a:f5:big-ip:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "17.1.0", "status": "affected"}, {"version": "16.1.0", "status": "affected", "lessThanOrEqual": "16.1.4", "versionType": "custom"}, {"version": "15.1.0", "status": "affected", "lessThanOrEqual": "15.1.10", "versionType": "custom"}]}, {"vendor": "f5", "product": "apm_clients", "cpes": ["cpe:2.3:a:f5:apm_clients:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.2.3", "status": "affected", "lessThanOrEqual": "7.2.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-04T19:53:38.815787Z", "id": "CVE-2024-28883", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "ADP Container", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T20:11:20.654Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:50.247Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://my.f5.com/manage/s/article/K000138744"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://my.f5.com/manage/s/article/K000138744", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:50.247Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28883", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-04T19:53:38.815787Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:f5:big-ip:*:*:*:*:*:*:*:*"], "vendor": "f5", "product": "big-ip", "versions": [{"status": "affected", "version": "17.1.0"}, {"status": "affected", "version": "16.1.0", "versionType": "custom", "lessThanOrEqual": "16.1.4"}, {"status": "affected", "version": "15.1.0", "versionType": "custom", "lessThanOrEqual": "15.1.10"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:f5:apm_clients:*:*:*:*:*:*:*:*"], "vendor": "f5", "product": "apm_clients", "versions": [{"status": "affected", "version": "7.2.3", "versionType": "custom", "lessThanOrEqual": "7.2.4"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T20:11:05.211Z"}}], "cna": {"title": "BIG-IP APM browser network access VPN client vulnerability", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "F5"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "F5", "product": "BIG-IP Edge Client", "versions": [{"status": "affected", "version": "7.2.3", "lessThan": "7.2.4.4", "versionType": "custom"}], "platforms": ["Windows", "Linux", "MacOS"], "defaultStatus": "unknown"}, {"vendor": "F5", "modules": ["APM"], "product": "BIG-IP", "versions": [{"status": "affected", "version": "17.1.0", "lessThan": "17.1.1", "versionType": "custom"}, {"status": "affected", "version": "16.1.0", "lessThan": "16.1.4.2", "versionType": "custom"}, {"status": "affected", "version": "15.1.0", "lessThan": "15.1.10.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "datePublic": "2024-05-08T14:00:00.000Z", "references": [{"url": "https://my.f5.com/manage/s/article/K000138744", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "F5 SIRTBot v1.0"}, "descriptions": [{"lang": "en", "value": "An origin validation vulnerability exists in \n\nBIG-IP APM browser network access VPN client \n\n\n\n for Windows, macOS and Linux which may allow an attacker to bypass F5 endpoint inspection. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "supportingMedia": [{"type": "text/html", "value": "An origin validation vulnerability exists in \n\n<span style=\"background-color: rgb(255, 255, 255);\">BIG-IP APM browser network access VPN client </span>\n\n\n\n for Windows, macOS and Linux which may allow an attacker to bypass F5 endpoint inspection. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346 Origin Validation Error"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2024-05-08T15:01:24.931Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28883", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:03:50.247Z", "dateReserved": "2024-04-24T21:34:20.645Z", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "datePublished": "2024-05-08T15:01:24.931Z", "assignerShortName": "f5"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "B9A5FEFC-6A45-4C91-9CF2-D143C48C9977", "versionEndExcluding": "15.1.10.3", "versionStartIncluding": "15.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "091EC4DB-43EF-4CDA-B52B-9244F5340963", "versionEndExcluding": "16.1.4.2", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager:17.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "0A8D90B7-A1AF-4EFB-B688-1563D81E5C6D", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_access_policy_manager_client:*:*:*:*:*:*:*:*", "matchCriteriaId": "1EA09C18-0CEC-4503-A84B-8B6D93EA11E1", "versionEndExcluding": "7.2.4.4", "versionStartIncluding": "7.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An origin validation vulnerability exists in \n\nBIG-IP APM browser network access VPN client \n\n\n\n for Windows, macOS and Linux which may allow an attacker to bypass F5 endpoint inspection. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated."}, {"lang": "es", "value": "Existe una vulnerabilidad de validaci\u00f3n de origen en el cliente VPN de acceso a la red del navegador BIG-IP APM para Windows, macOS y Linux que puede permitir a un atacante eludir la inspecci\u00f3n del endpoint F5. Nota: Las versiones de software que han llegado al final del soporte t\u00e9cnico (EoTS) no se eval\u00faan."}], "id": "CVE-2024-28883", "lastModified": "2025-08-06T15:56:39.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "f5sirt@f5.com", "type": "Secondary"}]}, "published": "2024-05-08T15:15:09.380", "references": [{"source": "f5sirt@f5.com", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000138744"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://my.f5.com/manage/s/article/K000138744"}], "sourceIdentifier": "f5sirt@f5.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "f5sirt@f5.com", "type": "Secondary"}]}