Threat actors actively exploit F5 BIG-IP flaws CVE-2023-46747 and CVE-2023-46748

Pierluigi Paganini November 01, 2023

Experts warn that threat actors started exploiting the critical flaw CVE-2023-46747 in F5 BIG-IP installs less than five days after PoC exploit disclosure.

F5 this week warned customers about a critical security vulnerability, tracked as CVE-2023-46747 (CVSS 9.8), that impacts BIG-IP and could result in unauthenticated remote code execution.

The vulnerability resides in the configuration utility component, it was by Michael Weber and Thomas Hendrickson of Praetorian on October 4, 2023.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.” reads the  published by F5.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.” reads the  published by F5.

The vulnerability affects the following versions:

ProductBranchVersions known to be vulnerable1Fixes introduced inSeverityCVSSv3 score2Vulnerable component or feature
BIG-IP (all modules)17.x17.1.017.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG3CriticalConfiguration utility
16.x16.1.0 – 16.1.416.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG3
15.x15.1.0 – 15.1.1015.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG3
14.x14.1.0 – 14.1.514.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG3
13.x13.1.0 – 13.1.513.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG3
BIG-IQ Centralized ManagementAllNoneNot applicableNot vulnerableNoneNone

F5 has released a shell script for versions 14.1.0 and later. The company pointed out that the script must not be used on any BIG-IP version prior to 14.1.0 because it will prevent the Configuration utility from starting.

On October 30, F5 updated its original warning that threat actors are actively exploiting the vulnerability. The attackers chain the vulnerability with another flaw in BIG-IP’s configuration utility tracked as  (CVSS score of 8.8).

F5 also released indicators-of-compromise (IoCs) to help defenders to identify potential compromises.

“F5 has observed threat actors using this vulnerability to exploit CVE-2023-46748.” . “For indicators of compromise for CVE-2023-46748, please refer to .”

Praetorian Security its blog with additional technical info after the Project Discovery team released the .

US CISA (Cybersecurity & Infrastructure Security Agency) added the two F5 BIG-IP vulnerabilities to its .

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, F5)



you might also like

leave a comment