CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
Sigma rule (View on GitHub)
1title: CVE-2020-5902 F5 BIG-IP Exploitation Attempt
2id: 44b53b1c-e60f-4a7b-948e-3435a7918478
3status: test
4description: Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
5references:
6 - https://support.f5.com/csp/article/K52145254
7 - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/
8 - https://twitter.com/yorickkoster/status/1279709009151434754
9 - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
10author: Florian Roth (Nextron Systems)
11date: 2020-07-05
12modified: 2023-01-02
13tags:
14 - attack.initial-access
15 - attack.t1190
16 - cve.2020-5902
17 - detection.emerging-threats
18logsource:
19 category: webserver
20detection:
21 selection_base:
22 cs-uri-query|contains:
23 - '/tmui/'
24 - '/hsqldb'
25 selection_traversal:
26 cs-uri-query|contains:
27 - '..;/'
28 - '.jsp/..'
29 condition: selection_base and selection_traversal
30fields:
31 - c-ip
32 - c-dns
33falsepositives:
34 - Unknown
35level: critical
References
-
Positive Technologies expert Mikhail Klyuchnikov has discovered a vulnerability in the configuration interface of the BIG-IP application delivery controller (ADC) used by some of the world's bigges...
Read More -
When TEAMARES began research into the vulnerability identified in the F5 TMUI RCE vulnerability advisory released last month, we initially started by reading
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt