Protect Against the BIG-IP TMUI Vulnerability CVE-2020-5902

F5 released a critical Remote Code Execution vulnerability (CVE-2020-5902) on June 30th, 2020 that affects several versions of BIG-IP. This RCE vulnerability allows attackers—or any user with remote access to the Traffic Management User Interface (TMUI)— to remotely execute system commands.

If your BIG-IP has its TMUI exposed to the Internet and is not running an updated version of the software, it may already be compromised, and you should follow your internal incident response procedures.

 

Because of the severity of this vulnerability, we recommend immediately installing the latest version in order to protect your BIG-IP.

Do I need to update my system?


If you cannot immediately update your BIG-IP, we advise you to:

  1. Ensure that there is not open Internet access to TMUI.
  2. Limit access to TMUI for all users.
  3. Apply the latest additional protection recommendations offered in our security advisory.
    Please note that these additional protection recommendations will continue to be updated as new threat vectors are discovered.

See Affected Versions and Get Update Recommendations

Read the security advisory ›

Configure Your BIG-IP System to Protect Against CVE-2020-5902

Learn how ›

BIG-IP Vulnerability CVE-2020-5902

Get the Basics on CVE-2020-5902

The F5 Security Advisory outlines the details of the Traffic Management User Interface (TMUI) vulnerability and how to protect against it.

Watch the video ›

Indicators of Compromise

Is My System Compromised?

Learn how to check for CVE-2020-5902 indicators of compromise (IoCs).

Watch the video ›

Get the IoC detection script on Github ›

Q&A with F5 BIG-IP Platform Security Experts

Watch a panel of F5 security technologists answer your questions and deliver additional information about this vulnerability.

Watch the video ›

Get the official and comprehensive list of questions and answers ›

Automating Software Updates with BIG-IQ or Ansible

DevCentral Connects

Automating Updates with BIG-IQ or Ansible

Watch the video ›

Get the playbook on Github ›

How to Upgrade Managed Devices to New Versions of TMOS with BIG-IQ

How to series

How to Update Managed Devices to New Versions of TMOS with BIG-IQ

Watch the video ›

How to Run Bash Scripts on Devices that BIG-IQ Manages

How to series

How to Run Bash Scripts on Devices that BIG-IQ Manages

Watch the video ›

How to Update BIG-IP Software with an Ansible Playbook

How to series

How to Update BIG-IP Software with an Ansible Playbook

Watch the video ›

Get the playbook on Github ›

We can help

Security Incident Response Team

We're ready to help when you need us.

Security Best Practices

Here’s what to do if you suspect your BIG-IP system is compromised.

Stay Updated

Subscribe to security and software release notifications from F5.