IT Solutions - Jul 13, 2020

Critical vulnerability in F5 Big IP security systems allows the execution of arbitrary code - This is how to act.

F5 Networks has announced a critical vulnerability in security systems that are frequently used by customers in the DMZ. Successful exploitation of this vulnerability enables attackers to run arbitrary code with administrator rights on the target system. The code is simply sent as a specially formatted query to the Traffic Management User Interface without the need for any previous authentication.

Written by

Principal Consultant Geschäftsbereichsleitung IT-Security


The Traffic Management User Interface (TMUI), also known as Configuration Utility, is susceptible to a Remote Code Execution Vulnerability (CVE-2020-5902). Proof-of-concept exploit codes are already making the rounds which means the vulnerability has already been exploited. There is, therefore, an urgent need to take action.

Which systems are affected?

The vulnerability affects all Big-IP systems up to and including version 15.x. Version 16.x is not affected.




Vulnerable versions

Resolved in


CVSSv3 score

BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, AWAF, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)


Not vulnerable


15.x15.0.0 -


14.x14.1.0 -
13.x13.1.0 - 13.1.313.1.3.4
12.x12.1.0 - 12.1.512.1.5.2
11.x11.6.1 - 11.6.511.6.5.2

How can you protect yourself?

Install the corresponding security updates as soon as possible.

If the Traffic Management User Interface could be accessed from the internet, there is a very high probability that the system has already been compromised. The F5 Knowledge Base article about this vulnerability (Indications of Compromise) provides additional information on how to detect a compromise. If there is any uncertainty, the affected system should be reset. More information can be found in the F5 article Considerations and guidance when you suspect a security compromise on a BIG-IP system.

Share this page

This post was published on Jul 13, 2020.