Tuesday 8th December 2020

12 Vulnerabilities of Christmas- CVE -2020-5902

The Twelve Days of Christmas commemorates a series of increasingly extravagant gifts given during the festive period. To mark the advent of Christmas and the end of a turbulent year, our analysts have looked at some of the biggest gifts to cyber threat actors in 2020, in terms of the vulnerabilities (also known as CVEs, which stands for Common Vulnerabilities and Exposures), that they have been able to exploit. Instead of gold rings, maids-a-milking and turtle doves, we look at remote code execution, privilege escalation and lateral movement. 

We have selected each of our Twelve vulns of Christmas on the basis of their Orpheus Vulnerability Score (OVS), so many of these have scores of or close to the maximum of 100. An OVS provides additional context on the threat and impact associated with particular CVEs, building upon the vulnerability information that is provided as part of the CVSS (Common Vulnerabilities Scoring System) score. More information on how we calculate OVSs is available here

CVE-2020-5902 in F5’s BIG-IP earned a maximum OVS score of 100 when it was disclosed in July. As part of our 12 Vulns of Christmas series, this piece examines why the vulnerability carried such a high risk.

CVE-2020-5902 is a severe vulnerability affecting F5’s BIG-IP products by allowing threat actors to achieve Remote Code Execution (RCE) via command injection. The vulnerability affects the Traffic Management User Interface (TMUI) component of BIG-IP. It was disclosed on 1 July, 2020 by F5. A Metasploit module allowing threat actors to easily exploit the vulnerability was published on the same day, which contributed to extensive exploitation in the wild in the following days.

As with yesterday’s analysis of BlueKeep, researchers have found that early exploitation of CVE-2020-5902 was primarily by cybercriminals looking to deploy crypto-mining malware. This reaffirms that threat actors looking to use the exploit shortly after publication are likely to have opportunistic goals which do not require longer planning or reconnaissance. In contrast, more sophisticated cybercriminal groups and state actors, who have more refined and specific targeting rationales, will have to be more selective with their targets. Nevertheless, the potential access that exploitation of the vulnerability provides and its ease of exploit have contributed to its OVS score of 100, further highlighting the need for organisations to develop a prioritized approach to vulnerability management.

Interest amongst threat actors was high upon publication of the vulnerability, as cybercriminals on underground hacking forums started discussing techniques to enumerate and exploit vulnerable instances. The following post from 11 July on a Russian-speaking forum discusses “Google Dorking” techniques to find vulnerable BIG-IP servers indexed by the search engine:

Figure 1: Cybercriminals discussing CVE 2020-5902 on a Russian-speaking underground forum


This score for CVE-2020-5902 is particularly significant to large organisations, as F5 advertises that “48 of the Fortune 50” rely on F5 products including BIG-IP, in addition to many government agencies also relying on vulnerable products.

Regarding exploitation of the vulnerability by sophisticated threat actors, CISA released a security advisory shortly after publication of the vulnerability warning against threat actor exploitation of the vulnerability targeting US “federal departments and agencies”. The FBI followed up shortly after in early August by issuing a notification that it detected Iranian threat actors attempting to exploit the vulnerability since July. Further reports from security researchers confirmed that Iranian threat actor Pioneer Kitten had been observed exploiting the vulnerability to achieve initial compromise on their targets, and had begun selling access to compromised networks on dark web forums. This provides further insight into the value of such vulnerabilities and associated exploits, which enables both sophisticated and unsophisticated to target vulnerable organisations and rapidly gain initial access to corporate networks through RCE.

Despite the fact that F5 had released mitigation advice against the vulnerability and had issued a security patch allegedly fixing the issue, researchers have claimed that threat actors have been able to bypass official mitigations, indicating that organisations were required to take further action to harden their BIG-IP deployments. We recommend the following mitigation strategies as provided by CISA and other actors:

  • Update BIG-IP deployments to the latest versions
  • Rotate credentials for F5 products regularly
  • Segregate hosts deploying F5 products to prevent lateral movement and the risk of the initial access being leveraged for destructive ransomware attacks
  • Use prioritized vulnerability management in order to stay ware of the latest critical vulnerabilities and patch shortly after disclosure to prevent opportunistic exploitation in the wild

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.