Admins Urged to Patch Critical F5 Flaw Under Active Attack

f5 big-ip security bug active exploit

Security experts and the U.S. Cyber Command are urging admins to update a critical flaw in F5 Networks, which is under active attack.

Security experts are urging companies to deploy an urgent patch for a critical vulnerability in F5 Networks’ networking devices, which is being actively exploited by attackers to scrape credentials, launch malware and more.

Last week, F5 Networks issued urgent patches for the critical remote code-execution flaw (CVE-2020-5902), which has a CVSS score of 10 out of 10. The flaw exists in the configuration interface of the company’s BIG-IP app delivery controllers, which are used for various networking functions, including app-security management and load-balancing. Despite a patch being available, Shodan shows almost 8,500 vulnerable devices are still available on the internet.

Not long after the flaw was disclosed, public exploits were made available for it, leading to mass scanning for vulnerable devices by attackers and ultimately active exploits. Researchers warn that they’ve seen attackers targeting the flaw over the weekend for various malicious activities, including launching Mirai variant DvrHelper, deploying cryptocurrency mining malware and scraping credentials “in an automated fashion.”

Rich Warren, principal security consultant for NCC Group, said Monday on Twitter that “as of this morning we are seeing an uptick in RCE attempts against our honeypots, using a combination of either the public Metasploit module, or similar via Python.”

The exploit of the flaw is trivial: Mikhail Klyuchnikov with Positive Technologies, who originally discovered the flaw, said that in order to exploit the vulnerability, an unauthenticated attacker would only need to send a specifically crafted HTTP request to the server hosting the Traffic Management User Interface (TMUI) utility for BIG-IP configuration.

“By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution (RCE1),” Klyuchnikov said. “The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network.”

Vulnerable versions of BIG-IP (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be updated to the corresponding fixed versions (,,,,, he said.

As more active exploits are detected in the wild, F5 Networks, the U.S. Cyber Command and Chris Krebs, director at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have all urged administrators to implement the offered fixes as soon as possible.

Another flaw was also fixed last week in BIG-IP that could allow an authenticated attacker to launch cross-site scripting attacks. The flaw (CVE-2020-5903) allows attackers to run malicious JavaScript code as a logged-in user.

F5 Networks previously dealt with security issues in 2019 when its VPN app (as well as ones built by Cisco, Palo Alto Networks and Pulse Secure) was discovered to improperly store authentication tokens and session cookies without encryption on a user’s computer.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles