What is F5 BIG-IP?
F5 BIG-IP is the dominant enterprise application delivery controller (ADC), load balancer, and security platform — deployed in roughly 48% of Fortune 500 companies to manage, secure, and accelerate application traffic. BIG-IP sits in front of every web application it serves, making it a single point of compromise for entire application portfolios. The Traffic Management User Interface (TMUI), also called the Configuration Utility, is BIG-IP's web-based management console, typically exposed on port 443 or 8443.
Overview
CVE-2020-5902 is an unauthenticated remote code execution vulnerability in F5 BIG-IP's TMUI web management interface, exploitable via path traversal. No credentials required — an attacker with network access to the management port can run OS commands as root. Mass exploitation began within 24 hours of the first public proof-of-concept, earning it a spot as one of the most consequential vulnerabilities of 2020.
CISA issued an emergency directive (ED 20-03) within days of disclosure, ordering all federal agencies to patch by July 17, 2020 — one of the fastest turnarounds for a mandatory federal remediation order at the time.
Affected Versions
| BIG-IP Version | Vulnerable | Fixed |
|---|---|---|
| 15.x | 15.0.0–15.1.0 | 15.1.0.4 |
| 14.x | 14.1.0–14.1.2 | 14.1.2.6 |
| 13.x | 13.1.0–13.1.3 | 13.1.3.4 |
| 12.x | 12.1.0–12.1.5 | 12.1.5.2 |
| 11.x | 11.6.1–11.6.5 | 11.6.5.2 |
Technical Details
The vulnerability is a path traversal (CWE-22) in the TMUI's undisclosed pages. The TMUI application runs under Apache Tomcat and improperly handles semicolons in URLs. An attacker can chain /../ traversal sequences to escape the /tmui/ directory context and reach administrative functionality without authentication.
The canonical exploit path reads sensitive files or writes to the filesystem, but the more severe vector uses the /tmui/locallb/workspace/ endpoint — which allows reading and writing files on the BIG-IP system with root privileges. Combined with the TMUI's tmsh command execution functionality (accessible via the same traversal), this yields unauthenticated OS command execution.
Example traversal pattern used in exploitation:
/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd
/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin
Discovery
Mikhail Klyuchnikov of Positive Technologies discovered the vulnerability and reported it to F5 in May 2020. F5 and Klyuchnikov coordinated disclosure for July 1, 2020. A public proof-of-concept appeared on July 3 — two days after patching — triggering immediate mass scanning and exploitation.
Exploitation Context
This vulnerability was one of the most heavily exploited of 2020. Within days of PoC release, security researchers tracked thousands of exploitation attempts. Shodan showed approximately 8,000 BIG-IP management interfaces exposed to the internet at disclosure time.
Confirmed exploitation included:
- Ransomware groups (including REvil/Sodinokibi) used it for initial access
- Iranian state-sponsored actors (Fox Kitten / PIONEER KITTEN / UNC757) exploited it to establish persistent access in defense, government, and technology targets
- Cryptomining and botnet operators deployed XMRig and other malware at scale
- CISA, NSA, and UK NCSC all issued specific advisories about nation-state exploitation
Remediation
- Patch immediately: Upgrade to a fixed version per the table above (F5 advisory K52145254).
- If patching is delayed: Block all access to TMUI from the internet immediately. The management interface should never be internet-exposed — restrict to internal management networks or VPN only.
- Mitigation workaround: F5 provided a temporary mitigation script that restricts TMUI access — apply it if patching cannot happen immediately.
- Hunt for compromise: Search HTTP access logs for
..;in request paths or requests to/tmui/locallb/workspace/. Review for unauthorized admin accounts, SSH keys, or scheduled tasks added around the exploitation window. - Assume compromise if exposed: If TMUI was internet-accessible and unpatched for any time after July 3, 2020, treat the BIG-IP device as compromised and perform a full forensic review.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-5902 |
| Vendor / Product | F5 — BIG-IP |
| NVD Published | 2020-07-01 |
| NVD Last Modified | 2025-10-27 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-22 find similar ↗ |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2022-05-03 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-07-01 | F5 publishes patch and advisory (K52145254) |
| 2020-07-03 | Public PoC released; mass exploitation begins within 24 hours |
| 2020-07-09 | CISA issues emergency directive (ED 20-03) ordering federal agencies to patch |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-03 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| F5 Security Advisory K52145254 | Vendor Advisory |
| NVD — CVE-2020-5902 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| BleepingComputer — F5 BIG-IP CVE-2020-5902 Exploitation | News |