The bug has a severe rating of 9.8, public exploits are released.
Threat actors have started exploiting a critical bug in the application service provider F5’s BIG-IP modules after a working exploit of the vulnerability was publicly made available.
The critical vulnerability, tracked as CVE-2020-1388, allows unauthenticated attackers to launch “arbitrary system commands, create or delete files, or disable services” on its BIG-IP systems.
F5 issued a warning last week when researchers identified the critical flaw.
Those patches and mitigation methods, released by F5, mitigate vulnerable BIG-IP iControl modules tied to the representational state transfer (REST) authentication component. If left unpatched, a hacker can exploit weaknesses to execute commands with root system privileges.
“This issue allows attackers with access to the management interface to basically pretend to be an administrator due to a flaw in how the authentication is implemented,” said Aaron Portnoy, director of research and development, Randori.
“Once you are an admin, you can interact with all the endpoints the application provides, including execute code” Portnoy added.
A shodan query shared by security researcher Jacob Baines revealed thousands of exposed BIG-IP systems on the internet, which an attacker can leverage to exploit remotely.