PoC exploits released for F5 BIG-IP vulnerabilities, patch now!

Two days after patches for critical F5 BIG-IP vulnerability were released, security researchers have started publicly posting proof-of-concept (PoC) exploits show how easy it is to exploit these devices.

F5 customers using BIG-IP devices and solutions include governments, Fortune 500 firms, banks, Internet services providers, and many consumer brands, including Microsoft, Oracle, and Facebook.

On Friday, F5 disclosed that they released patches for a critical 10/10 CVSSv3 rating vulnerability tracked as CVE-2020-5902

This vulnerability allows a remote attacker to access the Traffic Management User Interface (TMUI) of the BIG-IP application delivery controller (ADC) without authentication and perform remote code execution.

Exploiting a BIG-IP device would allow an attacker to gain full access to the system, export user credentials, and potentially traverse the device’s internal network.

“This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the TMUI, through the BIG-IP management port and/or Self IPs, to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected,” F5’s advisory reads.

Due to the severity of this vulnerability, the US Cyber Command issued an alert strongly advising that users install the update and not postpone it until after the Fourth of July holidays.

US Cyber Command tweet

F5 BIG-IP PoC exploits released and actively used

Today, numerous researchers have started to publicly post exploits for the F5 BIG-IP CVE-2020-5902 vulnerability to illustrate how easy it is to exfiltrate data and execute commands on vulnerable devices.

Yorick tweet

Another researcher has created a GitHub repository that lists PoCs to perform various tasks such as displaying the /etc/passwd file to access stored credentials or to view the device’s configuration file.

NCC Group’s Rich Warren has already started to see remote attacks attempting to exploit F5 BIG-IP devices.

Warren Tweet

If you are using F5 BIG-IP devices on your network, you must patch your devices now.

BIG-IP versions vulnerable to attacks (11.6.x, 12.1.x, 13.1.x, 14.1.x, 15.0.x, 15.1.x) should be upgraded to a corresponding patched versions (,,,,

Cloud marketplaces (e.g., AWS, Azure, GCP, and Alibaba) users are advised to switch to BIG-IP Virtual Edition (VE) versions,,,,, or, if available.

Without a doubt, APT, state-sponsored actors, and ransomware operators will, if not already, use these vulnerabilities to try and breach your network. Patch now!


Next Post

Earthquakes trigger landslides. Can landslides also trigger earthquakes? | Science

Mon Jul 6 , 2020
Southern Taiwan was hit by thousands of landslides after Typhoon Morakot in 2009. POOL/REUTERS/Newscom By Katherine KorneiJul. 2, 2020 , 5:00 AM When the deadliest typhoon to hit Taiwan in modern history struck the island in 2009, it dumped 3 meters of rain in as many days, triggering thousands of […]