F5 this week warned customers about a critical security vulnerability, tracked as CVE-2023-46747 (CVSS 9.8), that impacts BIG-IP and could result in unauthenticated remote code execution.
The vulnerability resides in the configuration utility component, it was by Michael Weber and Thomas Hendrickson of Praetorian on October 4, 2023.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.” reads the published by F5.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.” reads the published by F5.
The vulnerability affects the following versions:
Product | Branch | Versions known to be vulnerable1 | Fixes introduced in | Severity | CVSSv3 score2 | Vulnerable component or feature |
BIG-IP (all modules) | 17.x | 17.1.0 | 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG3 | Critical | Configuration utility | |
16.x | 16.1.0 – 16.1.4 | 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG3 | ||||
15.x | 15.1.0 – 15.1.10 | 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG3 | ||||
14.x | 14.1.0 – 14.1.5 | 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG3 | ||||
13.x | 13.1.0 – 13.1.5 | 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG3 | ||||
BIG-IQ Centralized Management | All | None | Not applicable | Not vulnerable | None | None |
F5 has released a shell script for versions 14.1.0 and later. The company pointed out that the script must not be used on any BIG-IP version prior to 14.1.0 because it will prevent the Configuration utility from starting.
On October 30, F5 updated its original warning that threat actors are actively exploiting the vulnerability. The attackers chain the vulnerability with another flaw in BIG-IP’s configuration utility tracked as (CVSS score of 8.8).
F5 also released indicators-of-compromise (IoCs) to help defenders to identify potential compromises.
“F5 has observed threat actors using this vulnerability to exploit CVE-2023-46748.” . “For indicators of compromise for CVE-2023-46748, please refer to .”
Praetorian Security its blog with additional technical info after the Project Discovery team released the .
US CISA (Cybersecurity & Infrastructure Security Agency) added the two F5 BIG-IP vulnerabilities to its .
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, F5)