Cyber Command backs ‘urgent’ patch for F5 security vulnerability

One of the largest providers of enterprise networking equipment in the world, F5, issued a patch for an issue that, if exploited, could lead to “complete system compromise.”
Computer with alert on it.

One of the largest providers of enterprise networking equipment in the world, F5 Networks, has issued a security fix for a major vulnerability that, if exploited, could result in a “complete system compromise.”

F5’s BIG-IP is among the most popular networking gear in use today in government systems, internet service providers and cloud computing data centers. If security administrators fail to patch the new vulnerability, though, attackers could wreak havoc on their networks, according to a information security specialists. Mikhail Klyuchnikov, the senior web application security researcher at Positive Technologies who uncovered the flaw, estimates that there are approximately 8,000 vulnerable devices exposed to the internet.

The remote code execution vulnerability, designated CVE-2020-5902, affects the BIG-IP product’s Traffic Management User Interface (TMUI), which can enable load balancers, firewalls, rate limiters and web traffic shaping systems. Attackers who exploit the weakness can execute arbitrary system commands, create files, delete files or disable services, according to F5.

The vulnerability is so serious it received the highest possible score of 10 from the Common Vulnerability Scoring System (CVSS). The Department of Defense’s Cyber Command warned in a tweet Friday that patching is “URGENT,” and that it “should not be postponed over the weekend.” The Department of Homeland Security’s cybersecurity agency also advised administrators to update their F5 systems on July 4.


“If you didn’t patch by this morning, assume [you are] compromised,” the Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs said in a tweet Monday. “Keep patching and check logs.”

To exploit the flaw, an attacker would need to send a specially crafted HTTP request to servers hosting the BIG-IP TMUI, according to Klyuchnikov.

Remote code execution by attackers “in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation,” Klyuchnikov said in a statement. “This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan.”

Rich Warren, principal security consultant at NCC Group,  said his company had observed active exploitation soon after the government started pushing out its alerts.

“So far, attacks have been varied and opportunistic, and we’ve seen a sharp rise following the public release of tooling to make it trivial for low-skilled hackers to exploit,” Warren told CyberScoop. “We are continually monitoring and flagging any new and novel attempts to exploit this vulnerability, and we’d encourage all [organizations] to update themselves and act now if they think they have been compromised.”


By press time Monday, NCC Group had observed an increase in exploitation attempts via the public Metasploit module. While many of the first exploits emanated from Italy, a “large volume” of attempts at “identifying vulnerable servers, which the attacker can then come back to and exploit further later,” has been emanating from China, Warren told CyberScoop.

It’s the second flaw revealed last week that received a CVSS score of 10. Cyber Command also highlighted a critical flaw in Palo Alto Networks technology that also received the highest score.

Vulnerable versions of BIG-IP include 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x, according to Positive Technologies.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts