Detect F5 Tmui RCE Cve-2020-5902

Description

This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices

   Help

Detect F5 Tmui RCE Cve-2020-5902 Help

To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).

   Search

Open in Search