CVE 2020-5902
Overview
Overview:
- Vulnerability: Remote Code Execution (RCE) in F5 BIG-IP Traffic Management User Interface (TMUI) — attackers can send crafted HTTP requests to TMUI and execute system commands.NVD+1
- Authentication: Unauthenticated remote exploitation is possible when TMUI / Configuration Utility is reachable. CISA+1
- Affected versions / scope: Broadly reported across BIG-IP releases (notably versions in the 11.x–15.x families at disclosure). Vendor advisories give exact patched builds per platform.blogs.blackberry.com+1
- Severity & score: CVSS v3.1 / vendor scoring placed it at Critical (9.8–10.0 in many vendor/analyst writeups), with serious confidentiality/integrity/availability impact.Qualys+1
- Exploitation & impact: Public PoCs and active exploitation were documented; many orgs (CISA, Cloudflare, others) issued emergency guidance and WAF rules to block attempts. Patching or mitigation was strongly recommended.CISA+1
Question.
Would you like to continue with a challenge question?
Discovery & Attack Surface
Scenario: You’re scanning a corporate perimeter and find an HTTP server responding with “Configuration utility” and links referencing TMUI.
Question:
Which initial action most likely leads to a reachable attack surface for CVE-2020-5902 exploitation?
A) Brute forcing SSH keys.
B) Sending crafted HTTP requests to TMUI pages.
C) Trying to upload a theme via WordPress.
CVE 2020-5902 1
D) Scanning SMB shares.
Authentication Model
Scenario: Pen-tester finds TMUI is exposed but requires credentials for some pages. A few endpoints return content without login.
Question:
What authentication model best describes the exploitable interface for CVE-2020-5902?
A) Strong mutual TLS required.
B) Per-endpoint auth, with some TMUI endpoints reachable unauthenticated.
C) Kerberos only.
D) OAuth2 with short tokens.
Exploit Primitive
Scenario: A PoC sends a specially crafted HTTP request that returns file contents and allows command invocation.
Question:
Which primitive is central to CVE-2020-5902 exploitation?
A) SQL injection into backend DB.
B) Remote command execution via TMUI request parsing.
C) DOM XSS within admin GUI.
D) Local privilege escalation via kernel exploit.
Typical Reconnaissance
Scenario: During enumeration you want a fast, low-noise indicator that a target might be vulnerable.
Question:
Which check is efficient?
A) Attempt to login with default admin:admin.
B) Request TMUI path and look for an HTTP response that includes “TMUI” or the configuration utility banner.
C) Submit a large file upload to /upload.
D) DNS zone transfer attempt.
Risk Prioritization (Impact)
Scenario: You report a successful RCE on a perimeter BIG-IP appliance.
Question:
What immediate risk is highest for the org?
A) Website color/theme change only.
B) Full network traffic interception, credential harvesting, and lateral movement.
C) Loss of single CMS blog post.
D) Minor logging anomalies only.
Defensive detection
Scenario: Your SOC wants a detection signature to catch CVE-2020-5902 exploitation attempts.
Question:
Which is the most useful indicator?
A) Outbound DNS queries to known IoC domains.
B) HTTP requests with unusual query payloads targeting TMUI paths (configuration utility endpoints) or requests exhibiting shell-like characters in parameters.
C) High CPU usage on web servers.
D) Email bounce backs.
Mitigation Selection
Scenario: Emergency response: org cannot patch immediately.
Question:
Which mitigation is recommended to reduce exposure?
A) Take the appliance offline / restrict TMUI access to trusted management network only; apply WAF rule to block TMUI exploit patterns.
B) Increase web server timeout only.
C) Disable HTTPS and force HTTP.
D) Reboot the appliance hourly.
CTF Emulation (Lab Design)
Scenario: You need to build a CTF lab that emulates CVE-2020-5902 for exploitation practice without using actual BIG-IP code.
Question:
Which approach best simulates the vulnerability?
A) Create a vulnerable web app that exposes a /tmui/* endpoint that parses a parameter unsafely and executes it on the host (sandboxed).
B) Run an off-the-shelf LAMP stack with default settings.
C) Deploy WordPress and add the vulnerable plugin.
D) Set up an FTP server.
Post-Exploit Objectives
Evaluate the impact of post-exploitation actions following command execution on an emulated TMUI system.
Question:
After exploiting an emulated TMUI and obtaining command execution, which realistic post-exploit action demonstrates full impact on a network level for scoring?
A) Change local wallpaper.
B) Install a persistent listener that can modify or forward HTTP traffic (simulating MITM of downstream hosts) and export admin credentials.
C) Delete temporary files only.
D) Add a new user with low privileges only.
Responsible Disclosure & Remediation
Scenario: You find a vulnerable BIG-IP device belonging to a client.
Question:
Which combined remediation path is correct and responsible?
A) Immediately notify affected parties, isolate the device from public networks, apply F5 vendor patches or vendor-recommended mitigations, and validate with IDS/WAF rules.
B) Publish the IP on social media to get attention.
C) Ignore it until it becomes critical.
D) Change the hostname only.