We identified a new pre-auth remote code execution bug in F5-BIGIP's management panel. Today is disclosure day, so we can't share all the details yet (need to give folks time to patch), but we do go into details about how to identify AJP Request smuggling and demonstrate if an application is vulnerable. If you're not familiar with this technique, it's definitely worth a look!