CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
Sigma rule (View on GitHub)
1title: CVE-2020-5902 F5 BIG-IP Exploitation Attempt
2id: 44b53b1c-e60f-4a7b-948e-3435a7918478
3status: test
4description: Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
5references:
6 - https://support.f5.com/csp/article/K52145254
7 - https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/
8 - https://twitter.com/yorickkoster/status/1279709009151434754
9 - https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
10author: Florian Roth (Nextron Systems)
11date: 2020/07/05
12modified: 2023/01/02
13tags:
14 - attack.initial_access
15 - attack.t1190
16 - cve.2020.5902
17 - detection.emerging_threats
18logsource:
19 category: webserver
20detection:
21 selection_base:
22 cs-uri-query|contains:
23 - '/tmui/'
24 - '/hsqldb'
25 selection_traversal:
26 cs-uri-query|contains:
27 - '..;/'
28 - '.jsp/..'
29 condition: selection_base and selection_traversal
30fields:
31 - c-ip
32 - c-dns
33falsepositives:
34 - Unknown
35level: critical
References
-
F5 fixes critical vulnerability discovered by Positive Technologies in BIG-IP application delivery controller
Read More -
-
When TEAMARES began research into the vulnerability identified in the F5 TMUI RCE vulnerability advisory released last month, we initially started by reading
Read More
Related rules
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt
- CVE-2020-10148 SolarWinds Orion API Auth Bypass
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit