CVE-2020-5902
CVE-2020-5902 is a critical-severity vulnerability in F5 Big-ip Access Policy Manager with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-22.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2020-27056
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-22
- Affected product: F5 Big-ip Access Policy Manager
- Published:
- Last modified:
Description
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
CVE-2020-5902: F5 BIG-IP TMUI Path Traversal Leading to Remote Code Execution
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2020-5902 |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) |
| CVSS v3 | 9.8 (CRITICAL) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CVSS v2 | 10.0 — AV:N/AC:L/Au:N/C:C/I:C/A:C |
| EPSS | 0.99999 (100th percentile) |
| KEV | Yes — added 2021-11-03 |
| EU Exploited | Yes — EUVD-2020-27056, since 2021-11-03 |
| Assigner | [email protected] |
| Published | 2020-07-01 |
| Last Modified | 2026-06-17 |
Summary
CVE-2020-5902 is a critical unauthenticated remote code execution vulnerability in the F5 BIG-IP Traffic Management User Interface (TMUI), also known as the Configuration utility. The flaw is rooted in a path traversal weakness (CWE-22) within undisclosed pages of the TMUI. An attacker can leverage this directory traversal to access restricted files and, under certain conditions, achieve remote code execution on the underlying system. The vulnerability requires no authentication, has low attack complexity, and is exploitable over the network, making it one of the most severe and widely exploited infrastructure vulnerabilities of 2020.
Background
F5 BIG-IP is a widely deployed family of application delivery and security platforms used by enterprises and service providers to manage traffic, load balancing, SSL offloading, web application firewalling, and access policy enforcement. The TMUI is the web-based administrative interface used to configure and monitor BIG-IP devices. Because it is typically exposed to network segments where administrators operate, any unauthenticated vulnerability in this interface represents a severe risk to the confidentiality, integrity, and availability of not only the BIG-IP appliance but also the applications and services it fronts.
Root Cause
The vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal). The TMUI fails to adequately sanitize user-supplied path components in requests to certain internal endpoints. This allows an attacker to inject directory traversal sequences (such as ../ or equivalent encoded forms) to escape the intended web root and access files or functionality outside the restricted scope. In the context of the TMUI's architecture, this path traversal can be chained with other application behaviors to read arbitrary files from the filesystem or trigger server-side processing that leads to remote code execution. The vulnerability is present in the TMUI's handling of requests to undisclosed pages that trust client-supplied path data without proper validation or canonicalization.
Impact
The CVSS v3 score of 9.8 and CVSS v2 score of 10.0 reflect the maximum possible severity:
- Network Attack Vector (AV:N): The vulnerability is exploitable remotely over the network.
- Low Attack Complexity (AC:L): No special conditions or advanced techniques are required.
- No Privileges Required (PR:N): The attacker does not need any account or credentials.
- No User Interaction (UI:N): The attack can be fully automated without victim interaction.
- Complete Confidentiality, Integrity, and Availability Impact: Successful exploitation grants the attacker the ability to read sensitive data, modify system configurations, and execute arbitrary commands, effectively compromising the entire appliance.
Because BIG-IP devices often sit at the edge of networks and process sensitive traffic, a successful attack can pivot to backend applications, decrypt TLS traffic, or disrupt service availability at scale.
Exploitation Walkthrough
Ethics and Legal Notice: The following is a generic, defensive description of the attack mechanism. No weaponized exploit code is provided. Testing for this vulnerability on systems you do not own or have explicit permission to test is illegal and unethical.
The exploitation generally follows these stages:
- Reconnaissance: The attacker identifies a BIG-IP device with an exposed TMUI (typically over HTTPS on port 443 or port 8443).
- Path Traversal Probe: The attacker sends a crafted HTTP request to a TMUI endpoint that embeds directory traversal sequences in the URL path or parameters. The application fails to normalize the path, allowing access to restricted backend resources.
- File Access: The attacker may use the traversal to read sensitive files from the BIG-IP filesystem, such as configuration files, SSL certificates, or password hashes, which can be used for further compromise.
- Code Execution: By chaining the traversal with TMUI-specific endpoints that allow file uploads or script execution, the attacker can achieve remote code execution on the host operating system.
Because the attack is unauthenticated and network-accessible, mass-scanning campaigns and automated exploitation were observed in the wild shortly after disclosure.
Affected and Patched Versions
The following BIG-IP version ranges are affected according to the official source data:
- 15.x: 15.0.0 through 15.1.0.3
- 14.x: 14.1.0 through 14.1.2.5
- 13.x: 13.1.0 through 13.1.3.3
- 12.x: 12.1.0 through 12.1.5.1
- 11.x: 11.6.1 through 11.6.5.1
Affected modules include BIG-IP Access Policy Manager, Advanced Firewall Manager, Advanced Web Application Firewall, Analytics, Application Acceleration Manager, Application Security Manager, DDoS Hybrid Defender, DNS, Fraud Protection Service, Global Traffic Manager, Link Controller, Local Traffic Manager, Policy Enforcement Manager, and SSL Orchestrator.
Patched Versions: The source data does not enumerate specific fixed releases. Administrators should consult F5 security advisory K52145254 for the definitive list of patched versions and available hotfixes.
Remediation
- Upgrade Immediately: Apply the patched software versions or hotfixes provided by F5 for your specific BIG-IP branch. Prioritize any TMUI interfaces exposed to untrusted networks.
- Restrict Network Access: Limit TMUI access to dedicated management interfaces and restrict source IP addresses to trusted administrative hosts only. Do not expose the TMUI to the public internet.
- Implement Firewall Rules: Use upstream firewalls or ACLs to block unauthorized access to the TMUI ports from external or untrusted network segments.
- Monitor for Compromise: Review BIG-IP device logs for unauthorized access, unexpected file modifications, or new administrative accounts. Scan for indicators of compromise (IoCs) published by F5 and security researchers.
- Compensating Controls: If patching is delayed, consider disabling the TMUI temporarily (if operationally feasible) or placing the device behind a strict reverse proxy with path-filtering rules to block known traversal patterns. Note that this is a temporary measure and does not replace patching.
Detection
Defenders can detect exploitation and post-exploitation activity through several methods:
- Web Server Logs: Look for HTTP requests to TMUI endpoints containing unusual path sequences, encoded traversal characters, or unexpected access to internal JSP pages.
- Network Traffic Monitoring: Alert on inbound HTTP/HTTPS requests to the TMUI from unexpected source IPs or geolocations.
- File Integrity Monitoring: Monitor critical system files and TMUI directories for unauthorized modifications.
- Threat Intelligence: Leverage IoCs published by F5, CISA, and security vendors that identify known exploit tools and scanning behaviors associated with CVE-2020-5902.
- Endpoint/Host Detection: Monitor the BIG-IP underlying system for unusual process execution, outbound network connections, or file creation events.
Assessment
CVE-2020-5902 is an exceptionally high-risk vulnerability. The EPSS score of 0.99999 places it in the 100th percentile, indicating near-certain probability of active exploitation. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog and the EU Exploited Vulnerabilities Database (EUVD-2020-27056) confirms that it has been weaponized in real-world attacks. The ransomware association (per source metadata) further underscores the severity, as compromised BIG-IP devices can be used to decrypt traffic, move laterally, or disrupt operations.
Key Lessons:
- Administrative Interfaces Are High-Value Targets: Exposing management UIs like TMUI to broad network ranges, even internally, creates a large attack surface. Strict network segmentation and IP restriction are essential.
- Path Traversal Can Escalate Quickly: What begins as a simple directory traversal (CWE-22) can escalate to full remote code execution when combined with application-specific functionality. Secure coding practices—especially rigorous path canonicalization and input validation—are critical in web-based management tools.
References
- https://support.f5.com/csp/article/K52145254
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5902
- https://www.kb.cert.org/vuls/id/290915
- https://swarm.ptsecurity.com/rce-in-f5-big-ip/
- https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
- https://badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/
- https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902
- http://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html
Frequently asked questions
- What is CVE-2020-5902?
- In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
- How severe is CVE-2020-5902?
- CVE-2020-5902 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2020-5902 being actively exploited?
- Yes. CVE-2020-5902 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2020-5902?
- CVE-2020-5902 primarily affects F5 Big-ip Access Policy Manager. In total, 14 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-5902?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2020-5902 have an EU (EUVD) identifier?
- Yes. CVE-2020-5902 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2020-27056. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2020-5902 published?
- CVE-2020-5902 was published on 2020-07-01 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158334/BIG-IP-TMUI-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html
- http://packetstormsecurity.com/files/158414/Checker-CVE-2020-5902.html
- http://packetstormsecurity.com/files/158581/F5-Big-IP-13.1.3-Build-0.0.6-Local-File-Inclusion.html
- http://packetstormsecurity.com/files/175671/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html
- https://badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/
- https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902
- https://support.f5.com/csp/article/K52145254
- https://swarm.ptsecurity.com/rce-in-f5-big-ip/
- https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
- https://www.kb.cert.org/vuls/id/290915
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5902
Affected products (14)
- cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_ddos_hybrid_defender:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:ssl_orchestrator:*:*:*:*:*:*:*:*
More vulnerabilities in F5 Big-ip Access Policy Manager
- CVE-2023-41373 — Critical (CVSS 9.9): A directory traversal vulnerability exists in the BIG-IP Configuration Utility that may allow an authenticated attacker…
- CVE-2021-22987 — Critical (CVSS 9.9): On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, 12.1.x…
- CVE-2025-53521 — Critical (CVSS 9.8): When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code…
- CVE-2023-46747 — Critical (CVSS 9.8): Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the…
- CVE-2022-1388 — Critical (CVSS 9.8): On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6,…
- CVE-2021-23008 — Critical (CVSS 9.8): On version 15.1.x before 15.1.3, 14.1.x before 14.1.4, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and all versions of…
All CVEs affecting F5 Big-ip Access Policy Manager →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…