CVE-2020-5902

Known Exploited (CISA KEV)CRITICAL

9.8

CVSS Severity Score

EPSS Score64.9140%

EPSS Percentile90.40th

Published2020年7月1日

Last Modified2025年10月27日

Vulnerability Description

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

Affected Platforms (CPE)

📦

Big Ip Access Policy Manager

>= 11.6.1 and < 11.6.5.2

📦

Big Ip Access Policy Manager

>= 12.1.0 and < 12.1.5.2

📦

Big Ip Access Policy Manager

>= 13.1.0 and < 13.1.3.4

📦

Big Ip Access Policy Manager

>= 14.1.0 and < 14.1.2.6

📦

Big Ip Access Policy Manager

>= 15.0.0 and <= 15.0.1.4

📦

Big Ip Access Policy Manager

>= 15.1.0 and < 15.1.0.4

📦

Big Ip Advanced Firewall Manager

>= 11.6.1 and < 11.6.5.2

📦

Big Ip Advanced Firewall Manager

>= 12.1.0 and < 12.1.5.2

📦

Big Ip Advanced Firewall Manager

>= 13.1.0 and < 13.1.3.4

📦

Big Ip Advanced Firewall Manager

>= 14.1.0 and < 14.1.2.6

📦

Big Ip Advanced Firewall Manager

>= 15.0.0 and < 15.0.1.4

📦

Big Ip Advanced Firewall Manager

>= 15.1.0 and < 15.1.0.4

📦

Big Ip Advanced Web Application Firewall

>= 11.6.1 and < 11.6.5.2

📦

Big Ip Advanced Web Application Firewall

>= 12.1.0 and < 12.1.5.2

📦

Big Ip Advanced Web Application Firewall

>= 13.1.0 and < 13.1.3.4

📦

Big Ip Advanced Web Application Firewall

>= 14.1.0 and < 14.1.2.6

📦

Big Ip Advanced Web Application Firewall

>= 15.0.0 and < 15.0.1.4

📦

Big Ip Advanced Web Application Firewall

>= 15.1.0 and < 15.1.0.4

📦

Big Ip Analytics

>= 11.6.1 and < 11.6.5.2

📦

Big Ip Analytics

>= 12.1.0 and < 12.1.5.2

📦

Big Ip Analytics

>= 13.1.0 and < 13.1.3.4

📦

Big Ip Analytics

>= 14.1.0 and < 14.1.2.6

📦

Big Ip Analytics

>= 15.0.0 and < 15.0.1.4

📦

Big Ip Analytics

>= 15.1.0 and < 15.1.0.4

📦

Big Ip Application Acceleration Manager

>= 11.6.1 and < 11.6.5.2

📦

Big Ip Application Acceleration Manager

>= 12.1.0 and < 12.1.5.2

📦

Big Ip Application Acceleration Manager

>= 13.1.0 and < 13.1.3.4

📦

Big Ip Application Acceleration Manager

>= 14.1.0 and < 14.1.2.6

📦

Big Ip Application Acceleration Manager

>= 15.0.0 and < 15.0.1.4

📦

Big Ip Application Acceleration Manager

>= 15.1.0 and < 15.1.0.4

📦

Big Ip Application Security Manager

>= 11.6.1 and < 11.6.5.2

📦

Big Ip Application Security Manager

>= 12.1.0 and < 12.1.5.2

📦

Big Ip Application Security Manager

>= 13.1.0 and < 13.1.3.4

📦

Big Ip Application Security Manager

>= 14.1.0 and < 14.1.2.6

📦

Big Ip Application Security Manager

>= 15.0.0 and < 15.0.1.4

📦

Big Ip Application Security Manager

>= 15.1.0 and < 15.1.0.4

📦

Big Ip Ddos Hybrid Defender

>= 11.6.1 and < 11.6.5.2

📦

Big Ip Ddos Hybrid Defender

>= 12.1.0 and < 12.1.5.2

📦

Big Ip Ddos Hybrid Defender

>= 13.1.0 and < 13.1.3.4

📦

Big Ip Ddos Hybrid Defender

>= 14.1.0 and < 14.1.2.6

📦

Big Ip Ddos Hybrid Defender

>= 15.0.0 and < 15.0.1.4

📦

Big Ip Ddos Hybrid Defender

>= 15.1.0 and < 15.1.0.4

📦

Big Ip Domain Name System

>= 11.6.1 and < 11.6.5.2

📦

Big Ip Domain Name System

>= 12.1.0 and < 12.1.5.2

📦

Big Ip Domain Name System

>= 13.1.0 and < 13.1.3.4

📦

Big Ip Domain Name System

>= 14.1.0 and < 14.1.2.6

📦

Big Ip Domain Name System

>= 15.0.0 and < 15.0.1.4

📦

Big Ip Domain Name System

>= 15.1.0 and < 15.1.0.4

📦

Big Ip Fraud Protection Service

>= 11.6.1 and < 11.6.5.2

📦

Big Ip Fraud Protection Service

>= 12.1.0 and < 12.1.5.2

📦

Big Ip Fraud Protection Service

>= 13.1.0 and < 13.1.3.4

📦

Big Ip Fraud Protection Service

>= 14.1.0 and < 14.1.2.6

📦

Big Ip Fraud Protection Service

>= 15.0.0 and < 15.0.1.4

📦

Big Ip Fraud Protection Service

>= 15.1.0 and < 15.1.0.4

📦

Big Ip Global Traffic Manager

>= 11.6.1 and < 11.6.5.2

📦

Big Ip Global Traffic Manager

>= 12.1.0 and < 12.1.5.2

📦

Big Ip Global Traffic Manager

>= 13.1.0 and < 13.1.3.4

📦

Big Ip Global Traffic Manager

>= 14.1.0 and < 14.1.2.6

📦

Big Ip Global Traffic Manager

>= 15.0.0 and < 15.0.1.4

📦

Big Ip Global Traffic Manager

>= 15.1.0 and < 15.1.0.4

📦

Big Ip Link Controller

>= 11.6.1 and < 11.6.5.2

📦

Big Ip Link Controller

>= 12.1.0 and < 12.1.5.2

📦

Big Ip Link Controller

>= 13.1.0 and < 13.1.3.4

📦

Big Ip Link Controller

>= 14.1.0 and < 14.1.2.6

📦

Big Ip Link Controller

>= 15.0.0 and < 15.0.1.4

📦

Big Ip Link Controller

>= 15.1.0 and < 15.1.0.4

📦

Big Ip Local Traffic Manager

>= 11.6.1 and < 11.6.5.2

📦

Big Ip Local Traffic Manager

>= 12.1.0 and < 12.1.5.2

📦

Big Ip Local Traffic Manager

>= 13.1.0 and < 13.1.3.4

📦

Big Ip Local Traffic Manager

>= 14.1.0 and < 14.1.2.6

📦

Big Ip Local Traffic Manager

>= 15.0.0 and < 15.0.1.4

📦

Big Ip Local Traffic Manager

>= 15.1.0 and < 15.1.0.4

📦

Big Ip Policy Enforcement Manager

>= 11.6.1 and < 11.6.5.2

📦

Big Ip Policy Enforcement Manager

>= 12.1.0 and < 12.1.5.2

📦

Big Ip Policy Enforcement Manager

>= 13.1.0 and < 13.1.3.4

📦

Big Ip Policy Enforcement Manager

>= 14.1.0 and < 14.1.2.6

📦

Big Ip Policy Enforcement Manager

>= 15.0.0 and < 15.0.1.4

📦

Big Ip Policy Enforcement Manager

>= 15.1.0 and < 15.1.0.4

📦

Ssl Orchestrator

>= 11.6.1 and < 11.6.5.2

📦

Ssl Orchestrator

>= 12.1.0 and < 12.1.5.2

📦

Ssl Orchestrator

>= 13.1.0 and < 13.1.3.4

📦

Ssl Orchestrator

>= 14.1.0 and < 14.1.2.6

📦

Ssl Orchestrator

>= 15.0.0 and < 15.0.1.4

📦

Ssl Orchestrator

>= 15.1.0 and < 15.1.0.4

References & Advisories

🔗 http://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html

🔗 http://packetstormsecurity.com/files/158334/BIG-IP-TMUI-Remote-Code-Execution.html

🔗 http://packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html

🔗 http://packetstormsecurity.com/files/158414/Checker-CVE-2020-5902.html

🔗 http://packetstormsecurity.com/files/158581/F5-Big-IP-13.1.3-Build-0.0.6-Local-File-Inclusion.html

🔗 http://packetstormsecurity.com/files/175671/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html

🔗 https://badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/

🔗 https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902