Cyber Resilience

CVE-2020-5902

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 01 July 2020

Published
01 July 2020
Modified
27 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9443 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-5902 is a critical-severity Path Traversal (CWE-22) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2020-5902 is a remote code execution vulnerability in the Traffic Management User Interface (TMUI), also known as the Configuration utility, of F5 BIG-IP products. It stems from a path traversal flaw (CWE-22) present in undisclosed pages and affects versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1. The issue carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without authentication or user interaction.

Unauthenticated remote attackers can leverage the flaw to execute arbitrary code on affected systems, resulting in complete compromise of confidentiality, integrity, and availability. Public proof-of-concept material demonstrates exploitation chains involving directory traversal combined with file upload or local file inclusion to achieve code execution.

Multiple exploit implementations and scanning tools targeting this vulnerability have been released on Packet Storm Security, including scripts for remote code execution, directory traversal file upload, and local file inclusion on specific builds such as 13.1.3.

EU & UK References

Vulnerability details

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

f5
big-ip access policy manager
11.6.1 — 11.6.5.2 · 12.1.0 — 12.1.5.2 · 13.1.0 — 13.1.3.4
f5
big-ip advanced firewall manager
11.6.1 — 11.6.5.2 · 12.1.0 — 12.1.5.2 · 13.1.0 — 13.1.3.4
f5
big-ip advanced web application firewall
11.6.1 — 11.6.5.2 · 12.1.0 — 12.1.5.2 · 13.1.0 — 13.1.3.4
f5
big-ip analytics
11.6.1 — 11.6.5.2 · 12.1.0 — 12.1.5.2 · 13.1.0 — 13.1.3.4
f5
big-ip application acceleration manager
11.6.1 — 11.6.5.2 · 12.1.0 — 12.1.5.2 · 13.1.0 — 13.1.3.4
f5
big-ip application security manager
11.6.1 — 11.6.5.2 · 12.1.0 — 12.1.5.2 · 13.1.0 — 13.1.3.4
f5
big-ip ddos hybrid defender
11.6.1 — 11.6.5.2 · 12.1.0 — 12.1.5.2 · 13.1.0 — 13.1.3.4
f5
big-ip domain name system
11.6.1 — 11.6.5.2 · 12.1.0 — 12.1.5.2 · 13.1.0 — 13.1.3.4
f5
big-ip fraud protection service
11.6.1 — 11.6.5.2 · 12.1.0 — 12.1.5.2 · 13.1.0 — 13.1.3.4
f5
big-ip global traffic manager
11.6.1 — 11.6.5.2 · 12.1.0 — 12.1.5.2 · 13.1.0 — 13.1.3.4
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces access control policies on the TMUI, directly blocking unauthenticated network requests that trigger the path-traversal RCE.

prevent

Requires validation of user-supplied input to the Configuration utility, mitigating the path-traversal flaw (CWE-22) used to reach RCE.

prevent

Restricts network access to the management interface via boundary devices, limiting exposure of the vulnerable TMUI pages to untrusted sources.

References