Skip to main content
banner image
venafi logo

Critical Vulnerability in F5 BIG-IP Devices Exploited in the Wild

Critical Vulnerability in F5 BIG-IP Devices Exploited in the Wild

f5 vulnerability
July 10, 2020 | Yana Blachman

F5 Networks has released a security advisory on July 1 to address a critical remote code execution (RCE) vulnerability that impacts the Traffic Management User Interface (TMUI) Configuration Utility of several BIG-IP networking devices. The vulnerability allows unauthenticated user with network access to execute system commands, create or delete files, disable services, and execute arbitrary code, and may result in complete system compromise.

A simple specifically-crafted HTTP request to the server hosting the TMUI utility for the BIG-IP configuration can result in a complete takeover, and all the information on the device can be considered compromised.

Security experts report that attackers are actively targeting the vulnerability in the wild, when the first active exploitations were visible as early as July 4 and maybe be even earlier. Therefore, any public-facing device patched after this date, and all the information on it, including digital certificates, keys, logs, configurations, and credentials should be considered compromised. The device should go through an incident response and a forensic investigation and follow the recommendation guidelines.


Exploitation in the Wild

TMUI RCE vulnerability CVE-2020-5902 was discovered by Mikhail Klyuchnikov from Positive Technologies and reported to F5 before being fully disclosed on July 2. In the time of the research in June this year, Klyuchnikov found over 8,000 vulnerable devices exposed to the internet, 40% of which were located in the US. More recent scans show that around 6,000 devices are still exposed and potentially vulnerable for takeover.

F5 released temporary configuration mitigations until the upgrade to a fixed software version is complete, but these mitigations were proved to be insufficient, as security professionals discovered possible bypasses for them and reported on it to F5.

The exploits for the vulnerability came to surface immediately after the vulnerability disclosure, while exploit payloads were shared on Twitter and Github and an exploit module was added to the exploitation framework Metasploit on July 5. NCCGroup and other researchers reported that live exploitations are targeting the flaw already since July 4 and originate from Italy and China.

Risk to Customer

If successfully exploited, a complete compromise of a vulnerable F5 device can enable an advanced attacker to leverage the appliances' network location to move laterally to additional systems, monitor or tamper with sensitive network traffic, evade defense mechanisms and establish a foothold in the environment.

Although F5 Networks disclosed the critical vulnerability and released patches as early as July 1, thousands of devices are still exposed to the internet and maybe vulnerable for complete takeover. F5’s devices are known to be used across the private and governmental sectors and its customers include many of the Fortune 50. Patching and mitigating this vulnerability becomes crucial as the United States Cyber Command urges everyone to install the updates.


We strongly encourage you to follow the recommendation from F5 Systems and immediately install the latest patched software versions to address the underlying vulnerability. F5 also offers recommendations if you cannot immediately patch, including restricting access to all TMUI interfaces.

Given that the information on devices, including digital certificates and keys could be compromised, certificates on devices should be revoked, keys re-issued and new certificates issued. This is not the first, and will certainly not be the last vulnerability that requires agile key and certificate rotation. Most organizations do not have a strong machine identity management program in place so key and certificate rotation on critical infrastructure is often de-prioritized during mitigations. Organizations with a strong machine identity management programs will be able to automate the rotation of any group of keys and certificates quickly and easily.

If your organization is using Venafi, you will be able to quickly identify impacted certificates and revoke and issue new certificates manually or automatically. If you're not currently a Venafi customer, you can learn more how Venafi can help with remediation in this video or Contact Us.


Network/log-based detection  


Related posts


Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Yana Blachman
Yana Blachman

Yana is Threat Intelligence Specialist at Venafi and has worked in the field over the last 7 years. Yana’s expertise includes tactical and operational threat analysis, threat hunting, and Dark Web intelligence.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more