Security researchers Chase Dardaman and Rich Mirch with CriticalStart’s TeamAres found a bypass to the CVE-2020-5902 security flaw. The vulnerability enables unauthenticated remote attackers to access the TMUI of the BIG-IP application delivery controller (ADC) and remotely execute arbitrary system commands and Java code. Customers are urged to patch their devices to the latest version, if possible, to block potential attacks instead of having to update mitigations if a new bypass is found.
Source: https://www.bleepingcomputer.com/news/security/mitigating-critical-f5-big-ip-rce-flaw-not-enough-bypass-found/