Two days after patches for critical F5 BIG-IP vulnerability were released, security researchers have started publicly posting proof-of-concept (PoC) exploits show how easy it is to exploit these devices.
F5 customers using BIG-IP devices and solutions include governments, Fortune 500 firms, banks, Internet services providers, and many consumer brands, including Microsoft, Oracle, and Facebook.
On Friday, F5 disclosed that they released patches for a critical 10/10 CVSSv3 rating vulnerability tracked as CVE-2020-5902.
This vulnerability allows a remote attacker to access the Traffic Management User Interface (TMUI) of the BIG-IP application delivery controller (ADC) without authentication and perform remote code execution.
Exploiting a BIG-IP device would allow an attacker to gain full access to the system, export user credentials, and potentially traverse the device's internal network.
"This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected," F5's advisory reads.