The Traffic Management User Interface (TMUI), also known as Configuration Utility, is susceptible to a Remote Code Execution Vulnerability (CVE-2020-5902). Proof-of-concept exploit codes are already making the rounds which means the vulnerability has already been exploited. There is, therefore, an urgent need to take action.
The vulnerability affects all Big-IP systems up to and including version 15.x. Version 16.x is not affected.
BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, AWAF, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO)
|15.x||15.0.0 - 15.1.0||220.127.116.11|
|14.x||14.1.0 - 14.1.2||18.104.22.168|
|13.x||13.1.0 - 13.1.3||22.214.171.124|
|12.x||12.1.0 - 12.1.5||126.96.36.199|
|11.x||11.6.1 - 11.6.5||188.8.131.52|
Install the corresponding security updates as soon as possible.
If the Traffic Management User Interface could be accessed from the internet, there is a very high probability that the system has already been compromised. The F5 Knowledge Base article about this vulnerability (Indications of Compromise) provides additional information on how to detect a compromise. If there is any uncertainty, the affected system should be reset. More information can be found in the F5 article Considerations and guidance when you suspect a security compromise on a BIG-IP system.