Critical F5 Networks vulnerability under attack

A critical remote code execution vulnerability that was disclosed and patched just days ago is already being exploited by threat actors.

A critical remote code execution flaw in F5 Networks' BIG-IP devices that was disclosed last week is already under attack.

The F5 vulnerability, rated 10 out of 10 on the Common Vulnerability Scoring System (CVSS), affects the Traffic Management User Interface (TMUI) in a range of BIG-IP network devices. F5 disclosed the flaw, tracked as CVE-2020-5902, in an advisory on June 30 and released patches two days later. Over the holiday weekend, however, security researchers confirmed that the remote code execution flaw had become the target of threat actors.

Rich Warren, principal consultant at cybersecurity firm NCC Group, said via Twitter that his company observed exploitation of the F5 vulnerability on July 4. He also noted an "uptick" in activity Monday morning.

In a blog post Sunday, Troy Mursch, chief research officer for the Chicago-based security research company Bad Packets, said the company's honeypots detected mass scanning activity originating from multiple hosts targeting F5 BIG-IP servers vulnerable to CVE-2020-5902. In the end, more 1,800 F5 BIG-IP endpoints were discovered to be vulnerable to the flaw, which Mursch said already have publicly available proof-of-concept exploits on GitHub, Twitter and other platforms.

"This vulnerability allows for unauthenticated attackers with network access to the vulnerable F5 servers to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code," Mursch wrote in the blog post.

Originally, Bad Packets scanned 3,945 F5 BIG-IP servers and discovered a total of 1,832 unique IPv4 hosts worldwide were vulnerable. In addition, the scan found vulnerable hosts in 66 countries around the world, with the United States topping the chart. Affected organizations include government agencies, public schools and universities, hospitals and healthcare providers, major financial and banking institutions and Fortune 500 companies.

In addition to executing arbitrary commands, the vulnerability can "allow threat actors to gain a foothold inside the targeted networks and conduct malicious activity, such as spreading ransomware," Mursch wrote in the blog post.

According to the advisory from F5, which was updated on July 6, "this vulnerability may result in complete system compromise."

F5 recommended upgrading to a new software version to fully mitigate this vulnerability, though it also offered other mitigation options such as restricting access to BIG-IP devices over secure networks.

Positive Technologies researcher Mikhail Klyuchnikov, who discovered the F5 vulnerability, said in a blog post that most companies using BIG-IP devices do not allow access to the TMUI over the internet. However, he noted the flaw was "particularly dangerous" for organizations with BIG-IP interfaces that are publicly searchable with tools like SHODAN.

Dig Deeper on Application and platform security