CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 9 min read

CVE-2020-5902 Explained: F5 BIG-IP TMUI Remote Code Execution

A CVSS 10.0 unauthenticated RCE in the F5 BIG-IP Traffic Management User Interface. Exploited within hours of advisory publication. Affects load balancers and application delivery controllers managing critical infrastructure traffic.

10.0
CVSS Score
None
Auth Required
8,000+
Exposed Devices
Hours
Time to Exploitation

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2020-5902 is a maximum-severity (CVSS 10.0) remote code execution vulnerability in the Traffic Management User Interface (TMUI) of F5 BIG-IP, one of the most widely deployed application delivery controllers and load balancers in enterprise and government networks. The vulnerability was disclosed by F5 on July 1, 2020. Public exploit code appeared within hours, and active exploitation was confirmed the same day.

BIG-IP devices sit in the network path for a large portion of enterprise internet traffic. A compromise of BIG-IP provides access to SSL/TLS traffic decryption, load-balanced application traffic, and the internal network segments accessible from the device's management plane. Over 8,000 internet-exposed BIG-IP TMUI interfaces were identified in the days following disclosure.

How CVE-2020-5902 Achieves Unauthenticated RCE via Path Traversal

The F5 BIG-IP TMUI (Traffic Management User Interface) is a web-based management console running on BIG-IP devices. It is accessible over HTTPS on port 443 (or a custom port) on the management interface, and in some configurations on the self-IP addresses assigned to network interfaces.

CVE-2020-5902 is a path traversal and arbitrary command execution vulnerability in TMUI. Certain TMUI URIs intended for internal use, specifically those in the /tmui/util/ path, process requests without adequate authentication checks. By manipulating URL paths with traversal sequences and targeting the vulnerable utility endpoint, an unauthenticated attacker can access internal TMUI functions that execute operating system commands.

The vulnerable endpoint accepts a file parameter that specifies a Java Server Pages file to execute. By crafting a request that points this parameter at TMUI's built-in file manager or command execution utilities, an attacker achieves arbitrary OS command execution as root on the BIG-IP appliance.

Exploitation provides root-level access to the F5 TMOS (Traffic Management Operating System), the Linux-based system underlying BIG-IP. From this position, an attacker can read SSL certificate private keys (enabling retrospective decryption of recorded traffic), modify load balancing rules to redirect traffic, intercept application traffic in transit, and pivot to internal network segments reachable from the device's network interfaces.

Affected versions include BIG-IP 15.0.0-15.1.0, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1.

1

Identify exposed TMUI interfaces

Scan for F5 BIG-IP TMUI login pages exposed on port 443 or 8443. The TMUI login page has distinctive F5 branding. Shodan indexed over 8,000 exposed instances in the days following disclosure.

2

Path traversal to vulnerable endpoint

Send an unauthenticated HTTP request to a crafted URL path that uses traversal sequences to reach the vulnerable TMUI utility endpoint, bypassing authentication checks applied to normal TMUI access.

3

Execute OS command

Invoke TMUI's built-in command execution capability through the unauthenticated endpoint, running arbitrary commands as root on the underlying TMOS Linux system.

4

Extract SSL private keys

Read SSL certificate private keys from the filesystem, enabling decryption of previously recorded or intercepted TLS traffic. This is particularly devastating for BIG-IP devices performing SSL offload for web applications.

5

Deploy implant and maintain access

Create persistent access via cron jobs, modified startup scripts, or network-accessible backdoors. Deploy data collection capabilities on the traffic path managed by the compromised BIG-IP.

Exploitation Activity and Nation-State Interest

Exploitation of CVE-2020-5902 began within hours of F5's advisory on July 1, 2020. By July 3, CISA, FBI, and multiple CERT organizations had issued warnings about active exploitation. By July 6, CISA issued a full advisory (AA20-206A) urging immediate patching.

Threat actors exploiting CVE-2020-5902 included opportunistic attackers deploying cryptominers and web shells, ransomware groups conducting initial reconnaissance and access establishment, and nation-state actors, with CISA specifically noting APT activity targeting TMUI interfaces.

The combination of BIG-IP's network position (handling SSL offload for sensitive applications) and its prevalence across government, financial services, and critical infrastructure made it a high-value intelligence collection target beyond its value as a ransomware initial access vector.

Bad Packets research identified automated exploitation scanning beginning within 24 hours of the advisory. Honeypots set up within that window received exploitation attempts, and multiple security firms confirmed live RCE against vulnerable instances in their research environments.

An attacker who controls an F5 BIG-IP device controlling application traffic potentially has access to all traffic traversing that device, including data exchanged between users and the applications the device load-balances.

CISA Alert AA20-206A, July 2020
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Securing F5 BIG-IP Against CVE-2020-5902

F5 released patches on July 1, 2020. Patching must be the immediate priority. The following additional controls harden BIG-IP management interfaces against exploitation.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2020-5902 demonstrates the catastrophic downside of exposing network infrastructure management interfaces to untrusted networks. BIG-IP devices perform SSL termination, they see decrypted application traffic. Compromising a BIG-IP is not like compromising a server; it is like compromising the wire that all traffic traverses, with the added capability to pivot into every internal network segment the device is connected to.

The exploitability of CVE-2020-5902 from a single unauthenticated HTTP request, combined with the network position of BIG-IP in many enterprise architectures, makes this vulnerability one of the most consequential of 2020 from a potential impact perspective.

Management interfaces for network infrastructure, load balancers, firewalls, VPN gateways, switches, must be treated as a separate security domain from application infrastructure. They require dedicated management networks, enforced source IP restrictions, MFA, and monitoring. The BIG-IP TMUI was internet-exposed at over 8,000 addresses because it was not configured with these controls. That configuration should never have existed.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2020-5902 and why is BIG-IP compromise particularly severe?

CVE-2020-5902 is a CVSS 10.0 unauthenticated RCE in the F5 BIG-IP Traffic Management User Interface (TMUI). A path traversal flaw in TMUI's URI handling allows an unauthenticated attacker to invoke built-in command execution utilities as root. BIG-IP compromise is uniquely severe because BIG-IP performs SSL offload, it decrypts HTTPS traffic, meaning an attacker with root access can extract SSL private keys and retroactively decrypt recorded traffic. BIG-IP also provides access to all internal network segments connected to its interfaces, making it an exceptional pivot point.

How do I fix CVE-2020-5902?

Upgrade BIG-IP to version 15.1.0.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, or 11.6.5.2 depending on your version. If immediate upgrade is not possible, apply F5's published mitigation configuration that restricts access to the vulnerable TMUI URI paths. Restrict TMUI access to a dedicated management network with IP allowlisting, it should never be accessible from self-IP interfaces or untrusted networks. If compromise is suspected, rotate all SSL certificates stored on the device and audit TMOS for unauthorized files and cron job modifications.

How quickly was CVE-2020-5902 exploited after disclosure?

Exploitation began within hours of F5's July 1, 2020 advisory. Public exploit code appeared the same day. By July 3, CISA and FBI issued warnings. Honeypots set up after the advisory received exploitation attempts almost immediately. Bad Packets research confirmed automated exploitation scanning within 24 hours. CISA's July 6 advisory (AA20-206A) noted APT actors among those targeting TMUI interfaces, indicating sophisticated threat actors had weaponized the vulnerability alongside opportunistic attackers.

Why is BIG-IP compromise especially dangerous compared to a standard server compromise?

BIG-IP performs SSL/TLS termination for web applications, meaning it decrypts HTTPS traffic before forwarding it to backend servers. An attacker with root access to a BIG-IP device can extract the SSL private key from the filesystem, enabling retroactive decryption of any recorded HTTPS traffic that passed through the device. Additionally, BIG-IP sits at a central network choke point, with interfaces connected to multiple network segments (DMZ, internal, and external). Root access to BIG-IP provides a pivot point into all of those segments simultaneously, with visibility into application-layer traffic in transit.

How can I tell if my BIG-IP TMUI is exposed to the internet?

The TMUI is accessible on port 443 of the BIG-IP management IP address, and in some configurations on the self-IP addresses of network interfaces. Run a port scan or use Shodan's API to check whether your BIG-IP management IPs are accessible from the internet. Within F5 TMOS, verify management port settings with `tmsh show sys management-ip` and ensure the management interface's network access is restricted to trusted management subnets via access control lists. Any BIG-IP where TMUI is reachable from untrusted networks should be treated as an immediate misconfiguration requiring remediation regardless of patch status.

Which nation-state actors exploited CVE-2020-5902?

CISA's Alert AA20-206A (July 6, 2020) explicitly noted that advanced persistent threat actors were among those targeting internet-exposed BIG-IP TMUI interfaces. While CISA did not attribute specific nation-states in that advisory, subsequent analysis by multiple threat intelligence firms identified exploitation activity consistent with Chinese and Iranian APT groups, reflecting the high intelligence value of BIG-IP's network position for traffic interception and internal network access. Opportunistic actors deploying cryptominers and web shells were also confirmed, distinguishing mass exploitation from targeted APT activity occurring simultaneously.

Sources & references

  1. NVD
  2. F5 Security Advisory K52145254
  3. CISA Alert AA20-206A

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.