CVE-2020-5902 Explained: F5 BIG-IP TMUI Remote Code Execution
A CVSS 10.0 unauthenticated RCE in the F5 BIG-IP Traffic Management User Interface. Exploited within hours of advisory publication. Affects load balancers and application delivery controllers managing critical infrastructure traffic.
Founder & Cybersecurity Evangelist
CVE-2020-5902 is a maximum-severity (CVSS 10.0) remote code execution vulnerability in the Traffic Management User Interface (TMUI) of F5 BIG-IP — one of the most widely deployed application delivery controllers and load balancers in enterprise and government networks. The vulnerability was disclosed by F5 on July 1, 2020. Public exploit code appeared within hours, and active exploitation was confirmed the same day.
BIG-IP devices sit in the network path for a large portion of enterprise internet traffic. A compromise of BIG-IP provides access to SSL/TLS traffic decryption, load-balanced application traffic, and the internal network segments accessible from the device's management plane. Over 8,000 internet-exposed BIG-IP TMUI interfaces were identified in the days following disclosure.
How CVE-2020-5902 Achieves Unauthenticated RCE via Path Traversal
The F5 BIG-IP TMUI (Traffic Management User Interface) is a web-based management console running on BIG-IP devices. It is accessible over HTTPS on port 443 (or a custom port) on the management interface, and in some configurations on the self-IP addresses assigned to network interfaces.
CVE-2020-5902 is a path traversal and arbitrary command execution vulnerability in TMUI. Certain TMUI URIs intended for internal use — specifically those in the /tmui/util/ path — process requests without adequate authentication checks. By manipulating URL paths with traversal sequences and targeting the vulnerable utility endpoint, an unauthenticated attacker can access internal TMUI functions that execute operating system commands.
The vulnerable endpoint accepts a file parameter that specifies a Java Server Pages file to execute. By crafting a request that points this parameter at TMUI's built-in file manager or command execution utilities, an attacker achieves arbitrary OS command execution as root on the BIG-IP appliance.
Exploitation provides root-level access to the F5 TMOS (Traffic Management Operating System) — the Linux-based system underlying BIG-IP. From this position, an attacker can read SSL certificate private keys (enabling retrospective decryption of recorded traffic), modify load balancing rules to redirect traffic, intercept application traffic in transit, and pivot to internal network segments reachable from the device's network interfaces.
Affected versions include BIG-IP 15.0.0-15.1.0, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1.
Identify exposed TMUI interfaces
Scan for F5 BIG-IP TMUI login pages exposed on port 443 or 8443. The TMUI login page has distinctive F5 branding. Shodan indexed over 8,000 exposed instances in the days following disclosure.
Path traversal to vulnerable endpoint
Send an unauthenticated HTTP request to a crafted URL path that uses traversal sequences to reach the vulnerable TMUI utility endpoint, bypassing authentication checks applied to normal TMUI access.
Execute OS command
Invoke TMUI's built-in command execution capability through the unauthenticated endpoint, running arbitrary commands as root on the underlying TMOS Linux system.
Extract SSL private keys
Read SSL certificate private keys from the filesystem — enabling decryption of previously recorded or intercepted TLS traffic. This is particularly devastating for BIG-IP devices performing SSL offload for web applications.
Deploy implant and maintain access
Create persistent access via cron jobs, modified startup scripts, or network-accessible backdoors. Deploy data collection capabilities on the traffic path managed by the compromised BIG-IP.
Exploitation Activity and Nation-State Interest
Exploitation of CVE-2020-5902 began within hours of F5's advisory on July 1, 2020. By July 3, CISA, FBI, and multiple CERT organizations had issued warnings about active exploitation. By July 6, CISA issued a full advisory (AA20-206A) urging immediate patching.
Threat actors exploiting CVE-2020-5902 included opportunistic attackers deploying cryptominers and web shells, ransomware groups conducting initial reconnaissance and access establishment, and nation-state actors — with CISA specifically noting APT activity targeting TMUI interfaces.
The combination of BIG-IP's network position (handling SSL offload for sensitive applications) and its prevalence across government, financial services, and critical infrastructure made it a high-value intelligence collection target beyond its value as a ransomware initial access vector.
Bad Packets research identified automated exploitation scanning beginning within 24 hours of the advisory. Honeypots set up within that window received exploitation attempts, and multiple security firms confirmed live RCE against vulnerable instances in their research environments.
“An attacker who controls an F5 BIG-IP device controlling application traffic potentially has access to all traffic traversing that device, including data exchanged between users and the applications the device load-balances.”
— CISA Alert AA20-206A, July 2020
Patching and Securing F5 BIG-IP Against CVE-2020-5902
F5 released patches on July 1, 2020. Patching must be the immediate priority. The following additional controls harden BIG-IP management interfaces against exploitation.
Apply F5 security patches or upgrade BIG-IP immediately
Upgrade to BIG-IP 15.1.0.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, or 11.6.5.2 depending on your version. For appliances where in-place upgrade is not immediately possible, apply F5's published mitigation configuration changes.
Restrict TMUI access to management networks only
BIG-IP TMUI should never be accessible from self-IP interfaces or from untrusted networks. Configure management port restrictions to limit TMUI access to dedicated management VLANs with access only from authorized management stations. This should have been configured at deployment.
Implement IP allowlisting for TMUI
Apply a restrictive IP allowlist to TMUI access, permitting only the specific IP addresses of authorized network administrators. F5 provides built-in management IP access controls in the TMOS configuration.
Check for web shells and unauthorized modifications
Search TMOS for unauthorized files in web-accessible directories. Check for modifications to startup scripts, cron jobs, and TMOS configuration files. Examine running processes for unexpected network listeners or connections.
Rotate SSL certificates if compromise is suspected
If the BIG-IP device handled SSL offload for any applications and compromise is suspected, treat all SSL private keys stored on the device as compromised. Revoke and reissue certificates. Assume that any historical SSL traffic recorded while the device was accessible could be decrypted retroactively.
The bottom line
CVE-2020-5902 demonstrates the catastrophic downside of exposing network infrastructure management interfaces to untrusted networks. BIG-IP devices perform SSL termination — they see decrypted application traffic. Compromising a BIG-IP is not like compromising a server; it is like compromising the wire that all traffic traverses, with the added capability to pivot into every internal network segment the device is connected to.
The exploitability of CVE-2020-5902 from a single unauthenticated HTTP request, combined with the network position of BIG-IP in many enterprise architectures, makes this vulnerability one of the most consequential of 2020 from a potential impact perspective.
Management interfaces for network infrastructure — load balancers, firewalls, VPN gateways, switches — must be treated as a separate security domain from application infrastructure. They require dedicated management networks, enforced source IP restrictions, MFA, and monitoring. The BIG-IP TMUI was internet-exposed at over 8,000 addresses because it was not configured with these controls. That configuration should never have existed.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.