Advisory July 6, 2020

TMUI RCE Vulnerabilities


What is it about?

The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
The vulnerability, assigned CVE-2020-5902 and rated as critical with a CVSS score of 10 out of 10
Also, a Cross-Site Scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. CVE-2020-5903

What is the impact of this attack?

This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected.

An attacker can exploit this vulnerability to run JavaScript in the context of the currently logged-in user. In the case of an administrative user with access to the Advanced Shell (bash), successful exploitation of this vulnerability can be leveraged to completely compromise the BIG-IP system through Remote Code Execution.

Affected product versions:

BIG-IP versions 11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x

What organisations should do as part of mitigation and prevention actions:

Are strongly recommended to update the devices to the latest versions,,,, as soon as possible.

You can find more information regarding the vulnerability in F5 support article: