Proof-of-Concept (PoC) code was publicly released on July 5th for a vulnerability affecting F5 BIG-IP (CVE-2020-5902). The vulnerability was publicly disclosed by F5 last week but has become more critical due to recent public exploitation. If exploited, CVE-2020-5902 allows for Remote Code Execution (RCE) at the admin level. This level of access could be used to deploy malware or perform a wide variety of other malicious actions. Organizations making use of F5 BIG-IP are highly recommended to apply the official security patches as soon as possible.
What we’re doing about it
- Known malicious IP addresses have been added to the eSentire Blacklist
- MVS (formerly esRECON) has a local plugin to identify vulnerable devices
- Contact your eSentire representative to ensure configuration requirements are met
- eSentire security teams continue to track this topic for additional details and detection opportunities
What you should do about it
- After performing a business impact review, apply the official security patches provided by F5
- If patches cannot be applied, review and apply the temporary mitigations from F5 
- Review network configuration of the BIG-IP device to ensure the TMUI is not internet facing
The vulnerability resides in an undisclosed page in the Traffic Management User Interface (TMUI), also known as the Configuration Utility. Attacks in the wild have reportedly exploited the vulnerability to deploy cryptocurrency miners . A major concern is that threat actor groups will exploit this vulnerability to distribute threats with a higher impact, such as ransomware.
The BIG-IP Traffic Management User Interface should not be exposed to the internet. Properly configuring the application will minimize the likelihood of a successful attack. Publicly exposed versions of BIG-IP are still common; searches via the IoT search engine Shodan, show that over 8,000 instances are exposed at the time of writing.
Vulnerable versions of BIG-IP