Vulnerability Details : CVE-2020-5902
Public exploit exists!
Used for ransomware!
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
Vulnerability category: Execute code
Products affected by CVE-2020-5902
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 13.1.0 and before (<) 13.1.3.4cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 12.1.0 and before (<) 12.1.5.2cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 14.1.0 and before (<) 14.1.2.6cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 11.6.1 and before (<) 11.6.5.2cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 15.0.0 and before (<) 15.0.1.4cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Security ManagerVersions from including (>=) 15.1.0 and before (<) 15.1.0.4cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Access Policy ManagerVersions from including (>=) 15.0.0 and up to, including, (<=) 15.0.1.4cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 14.1.0 and before (<) 14.1.2.6cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 15.1.0 and before (<) 15.1.0.4cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 11.6.1 and before (<) 11.6.5.2cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 12.1.0 and before (<) 12.1.5.2cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 13.1.0 and before (<) 13.1.3.4cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- F5 » Big-ip Application Acceleration ManagerVersions from including (>=) 15.0.0 and before (<) 15.0.1.4cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Web Application FirewallVersions from including (>=) 11.6.1 and before (<) 11.6.5.2cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Web Application FirewallVersions from including (>=) 15.1.0 and before (<) 15.1.0.4cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Web Application FirewallVersions from including (>=) 13.1.0 and before (<) 13.1.3.4cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Web Application FirewallVersions from including (>=) 12.1.0 and before (<) 12.1.5.2cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Web Application FirewallVersions from including (>=) 14.1.0 and before (<) 14.1.2.6cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- F5 » Big-ip Advanced Web Application FirewallVersions from including (>=) 15.0.0 and before (<) 15.0.1.4cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
CVE-2020-5902 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
F5 BIG-IP Traffic Management User Interface (TMUI) contains a remote code execution vulnerability in undisclosed pages.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2020-5902
Added on
2021-11-03
Action due date
2022-05-03
Exploit prediction scoring system (EPSS) score for CVE-2020-5902
97.54%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2020-5902
-
F5 BIG-IP TMUI Directory Traversal and File Upload RCE
Disclosure Date: 2020-06-30First seen: 2020-07-07exploit/linux/http/f5_bigip_tmui_rceThis module exploits a directory traversal in F5's BIG-IP Traffic Management User Interface (TMUI) to upload a shell script and execute it as the Unix root user. Unix shell access is obtained by escaping the restricted Traffic Management Shell (TMS -
F5 BIG-IP TMUI Directory Traversal and File Upload RCE
Disclosure Date: 2020-06-30First seen: 2023-11-04exploit/linux/http/f5_bigip_tmui_rce_cve_2020_5902This module exploits a directory traversal in F5's BIG-IP Traffic Management User Interface (TMUI) to upload a shell script and execute it as the Unix root user. Unix shell access is obtained by escaping the restricted Traffic Management Shell (TMS
CVSS scores for CVE-2020-5902
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-5902
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-5902
-
http://packetstormsecurity.com/files/158414/Checker-CVE-2020-5902.html
Checker CVE-2020-5902 ≈ Packet StormThird Party Advisory;VDB Entry
-
https://badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/
Over 3,000 F5 BIG-IP endpoints vulnerable to CVE-2020-5902 – Bad PacketsExploit;Third Party Advisory
-
https://www.kb.cert.org/vuls/id/290915
VU#290915 - F5 BIG-IP contains multiple vulnerabilities including unauthenticated remote command executionThird Party Advisory;US Government Resource
-
https://support.f5.com/csp/article/K52145254
Vendor Advisory
-
http://packetstormsecurity.com/files/158334/BIG-IP-TMUI-Remote-Code-Execution.html
BIG-IP TMUI Remote Code Execution ≈ Packet StormThird Party Advisory;VDB Entry
-
https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902
Team-Ares/CVE-2020-5902 at master · Critical-Start/Team-Ares · GitHubBroken Link;Exploit;Third Party Advisory
-
http://packetstormsecurity.com/files/175671/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html
F5 BIG-IP TMUI Directory Traversal / File Upload / Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/158581/F5-Big-IP-13.1.3-Build-0.0.6-Local-File-Inclusion.html
F5 Big-IP 13.1.3 Build 0.0.6 Local File Inclusion ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
F5 BIG-IP Remote Code Execution Exploit - CVE-2020-5902 | Critical StartExploit;Third Party Advisory
-
http://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html
BIG-IP TMUI Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
http://packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html
F5 BIG-IP TMUI Directory Traversal / File Upload / Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://swarm.ptsecurity.com/rce-in-f5-big-ip/
Remote Code Execution in F5 Big‑IP – PT SWARMExploit;Third Party Advisory
Jump to