Detect F5 Tmui RCE Cve-2020-5902
This search detects remote code exploit attempts on F5 BIG-IP, BIG-IQ, and Traffix SDC devices
Detect F5 Tmui RCE Cve-2020-5902 Help
To consistently detect exploit attempts on F5 devices using the vulnerabilities contained within CVE-2020-5902 it is recommended to ingest logs via syslog. As many BIG-IP devices will have SSL enabled on their management interfaces, detections via wire data may not pick anything up unless you are decrypting SSL traffic in order to inspect it. I am using a regex string from a Cloudflare mitigation technique to try and always catch the offending string (..;), along with the other exploit of using (hsqldb;).
Open in Search