Security News > 2021 > March > F5 urges customers to patch critical BIG-IP pre-auth RCE bug

F5 urges customers to patch critical BIG-IP pre-auth RCE bug
2021-03-10 17:04

F5 Networks, a leading provider of enterprise networking gear, has announced four critical remote code execution vulnerabilities affecting most BIG-IP and BIG-IQ software versions.

F5 BIG-IP software and hardware customers include governments, Fortune 500 firms, banks, internet service providers, and consumer brands, with the company claiming that "48 of the Fortune 50 rely on F5.".

Successful exploitation of critical BIG-IP RCE vulnerabilities could lead to full system compromise, including the interception of controller application traffic and lateral movement to the internal network.

"We strongly encourage all customers to update their BIG-IP and BIG-IQ systems to a fixed version as soon as possible," F5 says in a notification published earlier today.

"To fully remediate the critical vulnerabilities, all BIG-IP customers will need to update to a fixed version."

In July 2020, F5 patched a critical RCE vulnerability with a maximum 10/10 CVSSv3 rating tracked as CVE-2020-5902 and affecting the Traffic Management User Interface of BIG-IP ADC appliances.


News URL

https://www.bleepingcomputer.com/news/security/f5-urges-customers-to-patch-critical-big-ip-pre-auth-rce-bug/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-07-01 CVE-2020-5902 Path Traversal vulnerability in F5 products
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
network
low complexity
f5 CWE-22
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
F5 141 6 267 399 64 736