Pentest training specialists report the finding of a critical vulnerability in the BIG-IP product branch of the tech company F5 Networks, specializing in application services and application delivery networks. According to the report, successful exploitation of this flaw would allow code execution on the affected system.
The products affected by this flaw are: BIG-IP LTM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM, BIG-IP ASM, BIG-IP FPS, BIG-IP GTM, BIG-IP PEM, BIG-IP AAM, BIG-IP DNS and BIG-IP Link Controller. Below is a brief overview of the reported flaw in addition to its score and tracking key based on the Common Vulnerability Scoring System (CVSS).
Tracked as CVE-2020-5902, this flaw exists due to insufficient input validation on unreleased pages in the Traffic Management User Interface (TMUI), which would lead to the execution of arbitrary shell commands on the target system.
Pentest training experts mention that an unauthenticated threat actor could pass specially designed data to the application to complete the attack. Successful exploitation of this vulnerability can result in a total commitment of the vulnerable system.
Although the flaw received a score of 8.5/10 and can be exploited remotely by unauthenticated threat actors, no exploit attempts have been detected in real-world scenarios. Pentest training experts have also not detected any useful malware variants to trigger the attack.
The flaw has already been fixed, so F5 recommends users to verify their correct installation. The full list of vulnerable products is available on the manufacturer’s website.
For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.