In BIG-IP CVE-2020-5902
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
AnalysisAI
F5 BIG-IP Traffic Management User Interface (TMUI) contains a remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary system commands with root privileges through crafted URL requests.
Technical ContextAI
The CWE-22 path traversal in TMUI's request handler allows attackers to bypass authentication and reach internal API endpoints. By crafting URLs with specific path traversal sequences, attackers can invoke the hsqldb endpoint to execute arbitrary Java code, which runs as the root user.
Affected ProductsAI
F5 BIG-IP 15.0.0-15.1.0.3 F5 BIG-IP 14.1.0-14.1.2.5 F5 BIG-IP 13.1.0-13.1.3.3 F5 BIG-IP 12.1.0-12.1.5.1 F5 BIG-IP 11.6.1-11.6.5.1
RemediationAI
Apply F5 hotfixes immediately. Restrict management interface access to trusted networks. Never expose TMUI to the internet. Check for indicators of compromise including modified configuration and unauthorized user accounts.
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today