This article is more than 1 year old

F5 emits fixes for critical flaws in BIG-IP gear: Hopefully yours aren't internet-facing while you ready a patch

Not to worry, there are only *searches* several thousand devices apparently exposed online

Network administrators are urged to patch their F5 BIG-IP application delivery controllers following the disclosure of a pair of critical remote takeover bugs.

The flaws in question, CVE-2020-5902 and CVE-2020-5903, lie within in a configuration tool known as the Traffic Management User Interface. Successful exploitation results in full admin control over the device.

In the case of CVE-2020-5902, the hole puts the equipment at risk of arbitrary code execution, while CVE-2020-5903 is a JavaScript-based cross-site-scripting vulnerability. CVE-2020-5902 has a CVSS score of 10 out of 10, which is not good, while CVE-2020-5903 has a lower, but still serious, score of 7.5.

"The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network," said Mikhail Klyuchnikov of Positive Technologies who discovered and reported the vulnerabilities to F5.


Hold off that rush into the July 4 weekend – you may need this: Microsoft patches pwn-by-picture pitfalls in Win 10


"RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation."

These flaws are particularly bad because the vulnerable BIG-IP gear is generally used by large enterprises to handle traffic to and from critical applications. A successful attack could potentially be disastrous for Fortune 500 companies that make up F5's userbase.

Admins are advised to update their firmware as soon as possible. The flaws are present in BIG-IP versions 11 through 15, and the updated versions, released this week, are,,,, and BIG-IQ and Traffix SDC products are not vulnerable.

Fixing the bugs could be a bit of a pain, as the app delivery gear by definition sits in between critical application servers and users on the network, and patching could mean downtime. Those in the US might want to take advantage of the upcoming holiday weekend.

Ideally, the vulnerable traffic management interface is not exposed to the open internet. However, it is estimated more than 10,000 devices running the software could be facing the public web. Positive Technologies reckons that figure is at least 8,000. Gulp. ®

More about


Send us news

Other stories you might like