Cyber Resilience

CVE-2023-46747

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 26 October 2023

Published
26 October 2023
Modified
27 October 2025
KEV Added
31 October 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9444 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46747 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2023-46747 is an authentication bypass vulnerability in the F5 BIG-IP Traffic Management User Interface (TMUI) configuration utility. It stems from improper handling of certain requests that can evade authentication checks, affecting the management interface exposed via the management port or self IP addresses. The flaw is tracked under CWE-288 and CWE-306 and carries a CVSS v3.1 score of 9.8.

An attacker with network access to the affected interfaces can submit crafted requests to bypass authentication entirely and execute arbitrary system commands on the BIG-IP device. No valid credentials are required, and the attack can be performed remotely without user interaction.

F5 has published mitigation guidance in security article K000137353, which addresses patching and configuration changes for supported versions; end-of-support releases are not covered. Public exploit code is available, and reporting indicates the vulnerability has been incorporated into active exploit chains observed in the wild. The associated EPSS score remains extremely high, with a current value of 0.9444 and a recorded peak of 0.9735.

EU & UK References

Vulnerability details

Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support…

more

(EoTS) are not evaluated

CWE(s)
KEV Date Added
31 October 2023

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE-2023-46747 allows unauthenticated attackers with network access to bypass TMUI authentication via undisclosed/AJP smuggling requests, enabling arbitrary remote system command execution on BIG-IP, directly facilitating public-facing application exploitation (T1190), remote service exploitation (T1210), and Unix Shell abuse (T1059.004).

Affected Assets

f5
big-ip access policy manager
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip advanced firewall manager
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip advanced web application firewall
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip carrier-grade nat
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip ddos hybrid defender
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip ssl orchestrator
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip domain name system
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip local traffic manager
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip policy enforcement manager
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip automation toolchain
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
+10 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization decisions before granting access to TMUI functions, blocking the unauthenticated request paths used by CVE-2023-46747.

prevent

Requires unique identification and authentication of users before allowing access to the configuration utility, directly countering the authentication-bypass flaw.

prevent

Restricts network access to management ports and self-IP addresses, limiting the attack surface that enables remote unauthenticated command execution.

References