Connect with us

Hi, what are you looking for?



BIG-IP Vulnerability Exploited to Deliver DDoS Malware

Hackers continue to exploit the recently patched BIG-IP security flaw and they have plenty of potential targets as researchers have identified thousands of vulnerable systems.

Hackers continue to exploit the recently patched BIG-IP security flaw and they have plenty of potential targets as researchers have identified thousands of vulnerable systems.

The vulnerability affecting F5 Networks’ BIG-IP application delivery controller (ADC) is tracked as CVE-2020-5902 and it was disclosed last week by the vendor and Positive Technologies, the cybersecurity company whose researchers identified the issue. F5 has released patches and organizations have been advised to apply them immediately.

The security hole has been described as a critical remote code execution vulnerability that can be exploited to take complete control of a system. The issue is related to the Traffic Management User Interface (TMUI) configuration utility. An attacker who has access to this utility can exploit the weakness to create or delete files, disable services, intercept data, and run arbitrary code or commands.

While there are roughly 8,000 BIG-IP servers exposed to the internet, threat intelligence company Bad Packets has determined that roughly 3,000 of them are vulnerable to attacks exploiting CVE-2020-5902. A majority are in the United States (1,200), followed by China (500), Taiwan (140), and several other Asian countries.

According to Bad Packets, there are 635 unique network providers hosting vulnerable BIG-IP endpoints, including government organizations, educational institutions, healthcare providers, financial institutions, and Fortune 500 companies.

Proof-of-concept (PoC) exploits and technical information were made public for CVE-2020-5902 shortly after its disclosure and the first exploitation attempts were observed soon after. The vulnerability is easy to exploit and experts have pointed out that the entire exploit fits in a tweet.

Hackers have been scanning for vulnerable systems, and some of the exploits attempted to obtain passwords from vulnerable devices. Bad Packets reported on Monday that it has also seen a piece of DDoS malware being delivered via CVE-2020-5902 from an IP address known to have been involved in malicious activities.

Advertisement. Scroll to continue reading.

Chris Krebs, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told organizations to assume that their systems have been compromised if the patch was not immediately installed.

Unpatched BIG-IP systems should be assumed compromised

Related: “Ticketbleed” Flaw Exposes F5 Appliances to Remote Attacks

Related: Flaw in F5 Products Allows Recovery of Encrypted Data

Related: Hidden Injection Flaws Found in BIG-IP Load Balancers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.