Connect with us

Hi, what are you looking for?



Attackers Exploiting Critical F5 BIG-IP Vulnerability

Exploitation of a critical vulnerability (CVE-2023-46747) in F5’s  BIG-IP product started less than five days after public disclosure and PoC exploit code was published.

F5 BIG-IP Vulnerability

Exploitation of a recently patched critical vulnerability in F5’s  BIG-IP product started less than five days after public disclosure and proof-of-concept (PoC) exploit code was published.

The flaw, tracked as CVE-2023-46747 (CVSS score of 9.8), affects the Traffic Management User Interface of BIG-IP and allows for  unauthenticated, remote code execution (RCE).

A request smuggling flaw, rooted in the configuration utility component of BIG-IP, CVE-2023-46747 can be exploited to gain full administrative privileges on a vulnerable system.

On October 26, F5 released hotfixes for BIG-IP versions 13.x through 17.x, and the Seattle-based tech company is urging customers to install them as soon as possible.

In an October 30 update to the original advisory, the security and application delivery solutions provider warned that attackers are exploiting the vulnerability, chaining it with another new flaw in BIG-IP’s configuration utility, CVE-2023-46748 (CVSS score of 8.8).

“An authenticated SQL injection vulnerability exists in the BIG-IP configuration utility which may allow an authenticated attacker with network access to the configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands,” a NIST advisory for CVE-2023-46748 reads.

F5, which says that attackers using CVE-2023-46747 to exploit CVE-2023-46748, has released indicators-of-compromise (IoCs) for both flaws to help organizations identify potential compromises.

“This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators,” the company notes for both vulnerabilities.

Advertisement. Scroll to continue reading.

Over the weekend, the Project Discovery team released a PoC exploit targeting CVE-2023-46747, and Praetorian Security, which identified the bug, updated their initial blog with additional technical details.

Praetorian says they were able to perform AJP (Apache JServ Protocol) request smuggling to create a new System user, log in with administrative credentials, and run arbitrary commands on an impacted system.

“The process of abusing AJP request smuggling causes Tomcat and Apache to get out of sync. So as you send more of these requests, the de-sync gets worse. Eventually the server gets so out of sync that it becomes incapable of actually serving the correct site once you ask for it,” Praetorian researcher Michael Weber notes.

“During testing we regularly would get our F5-BIGIP so jammed up that it was just faster to do a full server reboot than it was to wait for things to clear out normally. There’s a secondary bug here in that if you do this enough, you’ll eventually catch the login session of someone else trying to hit the server, but given the fact that you can get RCE through this as well, it seems not to be as huge of a deal,” Weber adds.

According to Praetorian, there are thousands of internet-accessible BIG-IP instances, which are potentially exposed to exploitation, many of which pertain to organizations in the telecommunications sector.

Related: F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution

Related: Critical Vulnerability Exploited to ‘Destroy’ BIG-IP Appliances

Related: F5 Warns BIG-IP Customers About 18 Serious Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Management & Strategy

Anna Tutt, CMO of Oort, shares her experiences and perspectives on how we can accelerate growth of women in cybersecurity.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


A new CISA pilot program to warn critical infrastructure organizations if their systems are unpatched against vulnerabilities exploited in ransomware attacks.

Cybersecurity Funding

B2B payment security provider NsKnox raised $17 million in a new funding round that brings the total raised by the company to $35.6 million.


Privacy experts have said they fear pregnancies could be surveilled and the data shared with police or sold to vigilantes.


Google has suspended the Chinese shopping app Pinduoduo on its app store after malware was discovered in versions of the app from other sources.


ICS Patch Tuesday: Siemens and Schneider Electric have published more than a dozen advisories addressing over 200 vulnerabilities.

Cybersecurity Funding

Silk Security raised $12.5 million in seed funding and is on a mission to break down the silos between security and development with an...