Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2020-5902
CVE-2020-5902:
F5 BIG-IP Advanced Firewall Manager vulnerability analysis and mitigation
Overview
The Traffic Management User Interface (TMUI), also known as the Configuration utility, in F5 BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1 contained a critical Remote Code Execution (RCE) vulnerability identified as CVE-2020-5902. The vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies and was disclosed on June 30, 2020. This critical vulnerability received a CVSSv3 score of 10.0, the highest possible severity rating (CERT VU, NVD).
Technical details
The vulnerability exists in the TMUI interface due to improper input validation and lack of authentication checks. The flaw allows attackers to execute arbitrary system commands, create or delete files, and disable services through undisclosed pages in the interface. The vulnerability is particularly critical as it can be exploited by unauthenticated attackers with network access to the TMUI interface. The most common attack vectors involved probing URLs containing the pattern '..' followed by specific endpoints such as /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp (Cloudflare Blog).
Impact
The vulnerability allows attackers to execute arbitrary system commands with root privileges, potentially leading to complete system compromise. Successful exploitation grants attackers the ability to create or delete files, disable services, and execute arbitrary Java code. The risk is particularly severe as the vulnerability affects the management interface of BIG-IP devices, which are critical components in many enterprise networks (CISA Alert).
Mitigation and workarounds
F5 released patches on June 30, 2020, and strongly urged customers to upgrade to the fixed versions immediately. For organizations unable to patch immediately, temporary mitigations included blocking access to the TMUI interface from untrusted networks and implementing IP-based access restrictions. F5 recommended that the TMUI should only be accessible from secure or out-of-band management networks. Organizations were advised to deploy specific signatures to detect exploitation attempts and monitor systems for indicators of compromise (F5 Advisory, CISA Alert).
Community reactions
The U.S. Cyber Command issued an urgent warning advising immediate patching of the vulnerability. The cybersecurity community responded rapidly, with multiple security vendors releasing detection signatures and protection measures. The vulnerability garnered significant attention due to its critical nature and the widespread use of F5 BIG-IP devices in enterprise environments. Security researchers actively shared information about exploitation attempts and mitigation strategies across social media platforms (CISA Alert).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management