⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-05-03.

CVE-2020-5902Path Traversal in F5 Big-ip Global Traffic Manager

CWE-22Path TraversalCWE-94Code Injection24 documents15 sources
Severity
9.8CRITICALNVD
EPSS
94.4%
top 0.02%
CISA KEV
KEVRansomware
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
14
F5 Big-ip Access Policy ManagerF5 Big-ip Advanced Firewall ManagerF5 Big-ip Advanced WEB Application Firewall+11 more
Timeline
PublishedJul 1
KEV addedNov 3
KEV dueMay 3
Latest updateDec 24
CISA Required Action: Apply updates per vendor instructions.

Description

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages15 packages

NVDf5/big-ip_local_traffic_manager11.6.111.6.5.2+5
NVDf5/big-ip_global_traffic_manager11.6.111.6.5.2+5
NVDf5/big-ip_analytics11.6.111.6.5.2+5
NVDf5/ssl_orchestrator11.6.111.6.5.2+5
NVDf5/big-ip_link_controller11.6.111.6.5.2+5

🔴Vulnerability Details

3
GHSA
GHSA-2859-2hr6-f86v: In BIG-IP versions 152022-05-24
CVEList
CVE-2020-5902: In BIG-IP versions 152020-07-01
VulnCheck
F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability2020

💥Exploits & PoCs

5
Exploit-DB
F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion2020-07-26
Exploit-DB
BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution2020-07-06
Exploit-DB
BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution (PoC)2020-07-05
Nuclei
F5 BIG-IP TMUI - Remote Code Execution
Nuclei
F5 BIG-IP Security Checks

🔍Detection Rules

2
Suricata
ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M22020-07-08
Suricata
ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M12020-07-05

📋Vendor Advisories

2
CISA
F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability2021-11-03
F5
CVE-2020-5902: In BIG-IP versions 152020-07-01

🕵️Threat Intelligence

8
Unit42
Top CVEs to Patch: Insights from the 2022 Unit 42 Network Threat Trends Research Report2022-07-21
Trendmicro
Mirai Botnet Attack IoT Devices via CVE-2020-59022020-07-28
Trendmicro
Mirai Botnet Attack IoT Devices via CVE-2020-59022020-07-28
Trendmicro
Mirai Botnet Attack IoT Devices via CVE-2020-59022020-07-28
Qualys
F5 BIG-IP Remote Code Execution Vulnerability (CVE-2020-5902)2020-07-06

💬Community

2
HackerOne
CVE-2020-5902: CVE-2020-5902 **CVE ID: ** CVE-2020-5902 **Description:** Affected Product: F5 BIG-IP Traffic Management User Interface (TMUI) Severity: Critical CV2024-12-24
HackerOne
F5 BIG-IP TMUI RCE - CVE-2020-5902 (██.packet8.net)2022-03-25
CVE-2020-5902 — Path Traversal in F5 | cvebase