Critical Vulnerability in BIG-IP Application Delivery Controller (CVE-2020-5902)

Published on 04 Jul 2020

Updated on 04 Jul 2020

F5 has released security updates for the BIG-IP Application Delivery Controller, addressing a critical vulnerability (CVE-2020-5902) with a Common Vulnerability Scoring System (CVSS) score of 10 out of 10. An unauthenticated remote attacker could compromise the system by sending a specifically crafted Hypertext Transfer Protocol (HTTP) request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

Successful exploitation of the vulnerability could allow an unauthenticated attacker to execute arbitrary code on the affected systems remotely.

The versions known to be vulnerable are:
  • 11.6.1 - 11.6.5
  • 12.1.0 - 12.1.5
  • 13.1.0 - 13.1.3
  • 14.1.0 - 14.1.2
  • 15.1.0 and 15.0.0

Administrators and users of the affected versions are advised to install the latest security updates immediately.

More information is available at:
https://support.f5.com/csp/article/K52145254
https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/