Security News > 2020 > July > Serious Vulnerabilities in F5's BIG-IP Allow Full System Compromise
Critical and high-severity vulnerabilities discovered by researchers in F5 Networks' BIG-IP application delivery controller allow a remote attacker to take complete control of the targeted system.
The vulnerabilities were identified by researchers at cybersecurity firm Positive Technologies, which disclosed its findings this week after the vendor released advisories and announced the availability of patches.
"The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network. RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation."
Positive Technologies has also been credited for discovering a high-severity cross-site scripting vulnerability in the same BIG-IP configuration utility.
"An attacker can exploit this vulnerability to run JavaScript in the context of the currently logged-in user. In the case of an administrative user with access to the Advanced Shell, successful exploitation of this vulnerability can be leveraged to completely compromise the BIG-IP system through Remote Code Execution," F5 said in its advisory.