Threat actors actively exploit F5 BIG-IP flaws CVE-2023-46747/8

Threat actors actively exploit F5 BIG-IP flaws CVE-2023-46747 and CVE-2023-46748

Pierluigi Paganini
November 01, 2023

Experts warn that threat actors started exploiting the critical flaw CVE-2023-46747 in F5 BIG-IP installs less than five days after PoC exploit disclosure.

F5 this week warned customers about a critical security vulnerability, tracked as CVE-2023-46747 (CVSS 9.8), that impacts BIG-IP and could result in unauthenticated remote code execution.

The vulnerability resides in the configuration utility component, it was reported by Michael Weber and Thomas Hendrickson of Praetorian on October 4, 2023.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.” reads the advisory published by F5.

“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.” reads the advisory published by F5.

The vulnerability affects the following versions:

F5 has released a shell script for versions 14.1.0 and later. The company pointed out that the script must not be used on any BIG-IP version prior to 14.1.0 because it will prevent the Configuration utility from starting.

On October 30, F5 updated its original advisory warning that threat actors are actively exploiting the vulnerability. The attackers chain the vulnerability with another flaw in BIG-IP’s configuration utility tracked as CVE-2023-46748 (CVSS score of 8.8).

F5 also released indicators-of-compromise (IoCs) to help defenders to identify potential compromises.

“F5 has observed threat actors using this vulnerability to exploit CVE-2023-46748.” states the advisory. “For indicators of compromise for CVE-2023-46748, please refer to K000137365: BIG-IP Configuration utility authenticated SQL injection vulnerability CVE-2023-46748.”

Praetorian Security updated its blog with additional technical info after the Project Discovery team released the proof of concept on Github.

US CISA (Cybersecurity & Infrastructure Security Agency) added the two F5 BIG-IP vulnerabilities to its KEV (Known Exploited Vulnerabilities) catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, F5)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts