CISA adds two F5 BIG-IP flaws to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini November 01, 2023

US CISA added two vulnerabilities, tracked as CVE-2023-46747 and CVE-2023-46748, in BIG-IP to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  the vulnerabilities  and in BIG-IP to its .

CISA has the two new vulnerabilities to its , based on evidence of active exploitation. The two issues are:

  •  F5 BIG-IP Authentication Bypass Vulnerability – F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748.
  •  F5 BIG-IP SQL Injection Vulnerability – F5 BIG-IP Configuration utility contains an SQL injection vulnerability that may allow an authenticated attacker with network access through the BIG-IP management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46747.

Experts warn that threat actors started exploiting the critical flaw CVE-2023-46747 in F5 BIG-IP installs less than five days after PoC exploit disclosure.

On October 30, F5 updated its original warning that threat actors are actively exploiting the vulnerability. The attackers chain the vulnerability with another flaw in BIG-IP’s configuration utility tracked as  (CVSS score of 8.8).

F5 also released indicators-of-compromise (IoCs) to help defenders to identify potential compromises.

“F5 has observed threat actors using this vulnerability to exploit CVE-2023-46748.” . “For indicators of compromise for CVE-2023-46748, please refer to .”

Praetorian Security  its blog with additional technical info after the Project Discovery team released the .

According to , FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the  and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this flaw by November 21, 2023.

Follow me on Twitter:  and  and Mastodon

(SecurityAffairs – hacking, CISA)



you might also like

leave a comment