What is the CVSS score of CVE-2020-5902?

CVE-2020-5902 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 94.4%.

Which versions of In BIG-IP are affected by CVE-2020-5902?

Organizations using BIG-IP face critical risk from CVE-2020-5902, a path traversal vulnerability rated CVSS 9.8.

Is there a public PoC exploit available for CVE-2020-5902?

Yes, a public proof-of-concept exploit is available for CVE-2020-5902. Prioritise patching immediately. EPSS: 94.4%.

How to fix or mitigate CVE-2020-5902?

Within 24 hours: Identify all affected systems running BIG-IP and apply vendor patches immediately. Review file handling controls and restrict upload directories.

In BIG-IP CVE-2020-5902

CRITICAL

Path Traversal (CWE-22)

2020-07-01 f5sirt@f5.com

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 11:19 vuln.today

Added to CISA KEV

Oct 27, 2025 - 17:07 cisa

CISA KEV

PoC Detected

Oct 27, 2025 - 17:07 vuln.today

Public exploit code

CVE Published

Jul 01, 2020 - 15:15 nvd

CRITICAL 9.8

DescriptionNVD

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

AnalysisAI

F5 BIG-IP Traffic Management User Interface (TMUI) contains a remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary system commands with root privileges through crafted URL requests.

Technical ContextAI

The CWE-22 path traversal in TMUI's request handler allows attackers to bypass authentication and reach internal API endpoints. By crafting URLs with specific path traversal sequences, attackers can invoke the hsqldb endpoint to execute arbitrary Java code, which runs as the root user.

Affected ProductsAI

F5 BIG-IP 15.0.0-15.1.0.3 F5 BIG-IP 14.1.0-14.1.2.5 F5 BIG-IP 13.1.0-13.1.3.3 F5 BIG-IP 12.1.0-12.1.5.1 F5 BIG-IP 11.6.1-11.6.5.1

RemediationAI

Apply F5 hotfixes immediately. Restrict management interface access to trusted networks. Never expose TMUI to the internet. Check for indicators of compromise including modified configuration and unauthorized user accounts.

CVE-2020-5902 vulnerability details – vuln.today

Back

In BIG-IP CVE-2020-5902

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code