BIG-IP 9.0.2 through 9.0.4 cache login credentials for the Configuration utility. Once a user is logged in, the cache does not check the password entered for additional sessions under that user name. As a result, it is possible to gain access to the BIG-IP Configuration utility without a password.
F5 Product Development tracked this issue as CR45786 and it was fixed in BIG-IP 9.0.5. For information about upgrading, refer to the BIG-IP LTM release notes.