📄 Description (English)
F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability — F5 BIG-IP Traffic Management User Interface (TMUI) contains a remote code execution vulnerability in undisclosed pages.
🤖 AI Executive Summary
CVE-2020-5902 is a critical remote code execution vulnerability in F5 BIG-IP TMUI affecting versions 11.6.0 through 16.0.0, with a CVSS score of 9.0. The vulnerability allows unauthenticated attackers to execute arbitrary code through undisclosed pages in the web interface. This vulnerability has been actively exploited in the wild and poses an immediate threat to organizations relying on F5 BIG-IP for load balancing and traffic management.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 19, 2026 13:55
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses severe risk to Saudi critical infrastructure, particularly: (1) Banking sector (SAMA-regulated institutions) — F5 BIG-IP is widely deployed for load balancing in banking networks and payment systems; (2) Telecommunications (STC, Mobily, Zain) — used extensively for traffic management and DDoS mitigation; (3) Government entities (NCA, CITC) — deployed in critical government networks; (4) Energy sector (Saudi Aramco, SEC) — used in SCADA and operational technology networks; (5) Healthcare institutions — managing patient data and medical systems. Unauthenticated RCE allows complete system compromise, data exfiltration, lateral movement, and potential disruption of critical services.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Telecommunications
Energy and Utilities
Healthcare
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
9.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all F5 BIG-IP instances in your environment and document their versions
2. Isolate or restrict network access to BIG-IP TMUI (port 443/8443) to trusted administrative networks only
3. Implement WAF rules to block exploitation attempts targeting known vulnerable paths
4. Enable detailed logging and monitoring of TMUI access
PATCHING GUIDANCE:
1. Apply F5 security patches immediately: versions 11.6.x, 12.x, 13.x, 14.x, 15.x, and 16.0.0 require updates
2. Upgrade to patched versions: 11.6.4, 12.1.4, 13.1.4, 14.1.4, 15.1.4, or 16.0.1 and later
3. Prioritize production systems first, then non-production environments
COMPENSATING CONTROLS (if immediate patching not possible):
1. Disable TMUI access from untrusted networks using firewall rules
2. Implement IP whitelisting for administrative access
3. Deploy network segmentation to limit lateral movement
4. Use VPN for all administrative access to TMUI
DETECTION RULES:
1. Monitor for HTTP POST requests to /tmui/login.jsp and /tmui/system/management paths
2. Alert on any successful authentication followed by unusual process execution
3. Monitor for outbound connections from BIG-IP to external IPs
4. Track file modifications in /var/www/tmui/ directory
5. Monitor system logs for privilege escalation attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات F5 BIG-IP في بيئتك وقثق إصداراتها
2. عزل أو تقييد الوصول إلى شبكة TMUI (المنفذ 443/8443) للشبكات الإدارية الموثوقة فقط
3. تطبيق قواعد WAF لحظر محاولات الاستغلال التي تستهدف المسارات المعروفة الضعيفة
4. تفعيل السجلات المفصلة ومراقبة الوصول إلى TMUI
إرشادات التصحيح:
1. تطبيق تصحيحات أمان F5 فوراً: الإصدارات 11.6.x و 12.x و 13.x و 14.x و 15.x و 16.0.0 تتطلب تحديثات
2. الترقية إلى الإصدارات المصححة: 11.6.4 و 12.1.4 و 13.1.4 و 14.1.4 و 15.1.4 و 16.0.1 والإصدارات الأحدث
3. إعطاء الأولوية للأنظمة الإنتاجية أولاً، ثم بيئات غير الإنتاج
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل الوصول إلى TMUI من الشبكات غير الموثوقة باستخدام قواعد جدار الحماية
2. تطبيق القائمة البيضاء للعناوين للوصول الإداري
3. نشر تقسيم الشبكة لتحديد الحركة الجانبية
4. استخدام VPN لجميع الوصول الإداري إلى TMUI
قواعد الكشف:
1. مراقبة طلبات HTTP POST إلى /tmui/login.jsp و /tmui/system/management
2. تنبيه عند أي مصادقة ناجحة متبوعة بتنفيذ عملية غير عادية
3. مراقبة الاتصالات الصادرة من BIG-IP إلى عناوين IP خارجية
4. تتبع تعديلات الملفات في دليل /var/www/tmui/
5. مراقبة سجلات النظام لمحاولات تصعيد الامتيازات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Organization of Information Security
A.8.1.1 - Access Control Policy
A.12.2.1 - Restrictions on Software Installation
A.12.6.1 - Management of Technical Vulnerabilities
🔵 SAMA CSF
ID.AM-2 - Asset Management
PR.IP-12 - Software Development and Quality Assurance
PR.PT-2 - Removable Media Protection
DE.CM-8 - Vulnerability Scans
RS.MI-2 - Incident Response Procedures
🟡 ISO 27001:2022
A.6.1.1 - Information Security Roles and Responsibilities
A.8.1.1 - Access Control Policy
A.12.2.1 - Restrictions on Software Installation
A.12.6.1 - Management of Technical Vulnerabilities
A.14.2.1 - Secure Development Policy
🟣 PCI DSS v4.0
Requirement 2.2.4 - Configure system security parameters
Requirement 6.2 - Ensure security patches are installed
Requirement 11.2 - Run automated vulnerability scans
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
F5:BIG-IP