On June 30th 2020, F5 disclosed a Remote Code Execution (RCE) (CVE-2020-5902) vulnerability in their Traffic Management User Interface (TMUI), also referred to as the Configuration Utility. The directory traversal vulnerability can allow execution of system commands, as well as reading and writing of files and execution of arbitrary Java code. This vulnerability has a CVSSv3 base score of 9.8.
Due to exploitation already seen in the wild, if your TMUI is exposed to the Internet, it is highly likely that your BIG-IP system has already been compromised and incident response procedures are recommended. The BIG-IP versions affected are 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1. It is recommended to patch any affected systems immediately. If patching is not possible, more hardening procedures can be found at https://support.f5.com/csp/article/K52145254.
Frontline.Cloud includes an unauthenticated check 137381 F5 Big-IP TMUI RCE, a Critical severity added July 6th, 2020.