f5 big-ip application security manager

Cybersecurity researchers today issued a security advisory warning enterprises and governments across the globe to immediately patch a highly-critical remote code execution vulnerability affecting F5's BIG-IP networking devices running application security servers.

The vulnerability, assigned CVE-2020-5902 and rated as critical with a CVSS score of 10 out of 10, could let remote attackers take complete control of the targeted systems, eventually gaining surveillance over the application data they manage.

According to Mikhail Klyuchnikov, a security researcher at Positive Technologies who discovered the flaw and reported it to F5 Networks, the issue resides in a configuration utility called Traffic Management User Interface (TMUI) for BIG-IP application delivery controller (ADC).

BIG-IP ADC is being used by large enterprises, data centers, and cloud computing environments, allowing them to implement application acceleration, load balancing, rate shaping, SSL offloading, and web application firewall.

F5 BIG-IP ADC RCE Flaw (CVE-2020-5902)

An unauthenticated attacker can remotely exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

Successful exploitation of this vulnerability could allow attackers to gain full admin control over the device, eventually making them do any task they want on the compromised device without any authorization.

f5 big-ip application security manager

"The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network," Klyuchnikov said.

"RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation."

As of June 2020, more than 8,000 devices have been identified online as being exposed directly to the internet, of which 40% reside in the United States, 16% in China, 3% in Taiwan, 2.5% in Canada and Indonesia and less than 1% in Russia, the security firm says.

However, Klyuchnikov also says that most companies using the affected product do not enable access to the internet's vulnerable configuration interface.

F5 BIG-IP ADC XSS Flaw (CVE-2020-5903)

Besides this, Klyuchnikov also reported an XSS vulnerability (assigned CVE-2020-5903 with a CVSS score of 7.5) in the BIG-IP configuration interface that could let remote attackers run malicious JavaScript code as the logged-in administrator user.

"If the user has administrator privileges and access to Advanced Shell (bash), successful exploitation can lead to a full compromise of BIG-IP via RCE," the researcher said.

Affected Versions and Patch Updates

Affected companies and administrators relying on vulnerable BIG-IP versions 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x are strongly recommended to update their devices to the latest versions,,,, as soon as possible.

Moreover, users of public cloud marketplaces like AWS (Amazon Web Services), Azure, GCP, and Alibaba are also advised to switch to BIG-IP Virtual Edition (VE) versions,,,,, or, as soon as they are available.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.