F5 BIG-IP TMUI Remote Code Execution (CVE-2020-5902)
Overview
F5 BIG-IP TMUI Remote Code Execution, tracked as CVE-2020-5902, affects the Traffic Management User Interface (TMUI), also known as the Configuration utility, in vulnerable F5 BIG-IP systems. BIG-IP appliances often sit in front of critical applications, so compromise of the management interface can have broad infrastructure impact.
Vulnerability Overview
CVE-2020-5902 is a remote code execution vulnerability in undisclosed TMUI pages of affected BIG-IP versions. NVD classifies the weakness as CWE-22, which is associated with path traversal behavior.
The issue is especially dangerous because exploitation does not require authentication when the vulnerable management interface is reachable. Exposed TMUI services on internet-facing or broadly reachable networks represent the highest-risk deployments.
Impact
CVE-2020-5902 has a CVSS 3.1 score of 9.8 and is rated Critical in NVD. The score reflects network reachability, low attack complexity, no required privileges, no user interaction, and high confidentiality, integrity, and availability impact.
Successful exploitation can allow remote code execution on the BIG-IP management plane, unauthorized access to sensitive configuration, modification of traffic handling behavior, disruption of application delivery, or further compromise of infrastructure that depends on the appliance.
CVE-2020-5902 is also listed in the CISA Known Exploited Vulnerabilities Catalog, which reflects confirmed exploitation in real environments.
Vulnerability Scope
CVE-2020-5902 affects BIG-IP versions 15.0.0 through 15.1.0.3, 14.1.0 through 14.1.2.5, 13.1.0 through 13.1.3.3, 12.1.0 through 12.1.5.1, and 11.6.1 through 11.6.5.1.
The practical exposure depends on whether TMUI is reachable by untrusted users. Management interfaces should be isolated from the internet, restricted to trusted administrative networks, and patched according to F5 guidance.
Lab Focus
This lab focuses on understanding how a vulnerable appliance management interface can become a remote code execution path. The goal is to practice evaluating management-plane exposure, recognizing critical infrastructure impact, and understanding why administrative interfaces must be patched and network-restricted.