On Friday, the US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning organizations about the danger posed by a newly patched vulnerability affecting the BIG-IP application delivery controller (ADC) of F5 Networks.
The critical security vulnerability, known as CVE-2020-5902, allows an attacker accessing the product’s Traffic Management User Interface (TMUI) configuration feature to get passwords and other sensitive data, intercept traffic, and execute arbitrary code or commands, resulting in the device being completely compromised.
The problem was announced July 1. At the time of disclosure, Positive Technologies reported that thousands of vulnerable devices were exposed to the internet, including many in the United States, whose employees were praised with disclosing the vulnerability to F5,.
A few days later a proof-of – concept exploit (PoC) was released, and the first attempts at exploitation were spotted on July 5. F5, which issued a patch before disclosure, tells customers to presume that if they have failed to install the patch for CVE-2020-5902 their systems have been compromised.
Since July 6, CISA says government departments and agencies have seen scanning and monitoring activities associated with this bug. The agency investigated several potential breaches resulting from exploiting this vulnerability, including against U.S. government and commercial organizations, and it has confirmed two instances where systems have been compromised to date.
CISA has urged organizations to update their BIG-IP products immediately, and should act swiftly if they find evidence of attacks.
In the event of a breach, the agency’s recommendations include reimaging compromised hosts, resetting account passwords, limiting access to the vulnerable management interface and implementing network segmentation to prevent the attacker from moving laterally within the network.