Hackers are targeting organisations using a vulnerability in F5 BIG-IP software

A patch addressing the bug was released last month

The Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security said last week that it had responded to two cyber incidents that exploited a critical vulnerability in F5 BIG-IP software to target US government and private-sector organisations.

In an alert issued on Friday, the CISA warned that attackers are currently trying to exploit the CVE-2020-5902 flaw in F5 Networks' software, which could allow them to take control of federal and private networks.

The agency said it had spotted an unidentified group of hackers that had been scanning federal agencies' networks for weeks to discover systems they could exploit.

The agency is currently working with other cyber security firms to investigate possible breaches related to the vulnerability.

CVE-2020-5902 is a remote code execution (RCE) bug in the Traffic Management User Interface (TMUI) of BIG-IP devices. Researchers discovered it last month, and FT Networks released a patch on the 30^th June.

To exploit the vulnerability, an attacker needs to send a specially crafted HTTP request to the server hosting the TMUI utility for BIG-IP configuration.

Mikhail Klyuchnikov, a researcher at Positive Technologies who discovered the flaw, said that an attacker with access to the BIG-IP configuration utility could exploit the device remotely without authentication. The Common Vulnerability Scoring System (CVSS) severity scale gave CVE-2020-5902 the maximum score of 10.0.

"The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network," Klyuchnikov said.

Last month, Klyuchnikov also reported a less critical XSS vulnerability (CVE-2020-5903) in BIG-IP configuration interface, which could allow hackers to execute malicious JavaScript code on the target device with the same rights as the logged-in user.

While F5 Networks has already released patches for these vulnerabilities, many devices still remain unpatched, according to CISA.

Many large enterprises and government networks use F5 devices, and it is vital to quickly patch vulnerabilities quickly.

"If your BIG-IP system has TMUI exposed to the Internet and it does not have a fixed version of software installed, there is a high probability that it has been compromised and you should follow your internal incident response procedures. Refer to the Indicators of compromise section," F5 Networks said in June.

CISA is now urging users and admins to upgrade their software to the fixed versions. Admins are also being advised to deploy the signature included in CISA's Alert "to help them determine whether their systems have been compromised."