CVE-2020-5902
Published: 01 July 2020
Summary
CVE-2020-5902 is a critical-severity Path Traversal (CWE-22) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2020-5902 is a remote code execution vulnerability in the Traffic Management User Interface (TMUI), also known as the Configuration utility, of F5 BIG-IP products. It stems from a path traversal flaw (CWE-22) present in undisclosed pages and affects versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1. The issue carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without authentication or user interaction.
Unauthenticated remote attackers can leverage the flaw to execute arbitrary code on affected systems, resulting in complete compromise of confidentiality, integrity, and availability. Public proof-of-concept material demonstrates exploitation chains involving directory traversal combined with file upload or local file inclusion to achieve code execution.
Multiple exploit implementations and scanning tools targeting this vulnerability have been released on Packet Storm Security, including scripts for remote code execution, directory traversal file upload, and local file inclusion on specific builds such as 13.1.3.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-27056
Vulnerability details
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access control policies on the TMUI, directly blocking unauthenticated network requests that trigger the path-traversal RCE.
Requires validation of user-supplied input to the Configuration utility, mitigating the path-traversal flaw (CWE-22) used to reach RCE.
Restricts network access to the management interface via boundary devices, limiting exposure of the vulnerable TMUI pages to untrusted sources.