Soon after technical details of a serious bug in F5 BIG-IP networking devices have been released to the public attacks have been observed attempting to exploit this vulnerability.
Last week, F5 has released a security advisory describing a Remote Code Execution (RCE) vulnerability that affects the BIG-IP's Traffic Management User Interface (TMUI).
The flaw, tracked as CVE-2020-5902, “allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.” The vulnerability received the maximum score (10 out of 10 score) on the CVSSv3 vulnerability severity scale.
Two days after the patches for this flaw have been issued security researches have started releasing proof-of-concept (PoC) exploits to demonstrate how easy it is to steal information and execute commands on vulnerable devices [1, 2, 3].
Over the weekend Rich Warren, a security researcher for the NCC Group, has detected remote attacks trying to exploit the CVE-2020-5902 vulnerability. According to the researcher, the attacks have been attempting to steal administrator passwords from the compromised devices.