CVE-2023-46747
Published: 26 October 2023
Summary
CVE-2023-46747 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2023-46747 is an authentication bypass vulnerability in the F5 BIG-IP Traffic Management User Interface (TMUI) configuration utility. It stems from improper handling of certain requests that can evade authentication checks, affecting the management interface exposed via the management port or self IP addresses. The flaw is tracked under CWE-288 and CWE-306 and carries a CVSS v3.1 score of 9.8.
An attacker with network access to the affected interfaces can submit crafted requests to bypass authentication entirely and execute arbitrary system commands on the BIG-IP device. No valid credentials are required, and the attack can be performed remotely without user interaction.
F5 has published mitigation guidance in security article K000137353, which addresses patching and configuration changes for supported versions; end-of-support releases are not covered. Public exploit code is available, and reporting indicates the vulnerability has been incorporated into active exploit chains observed in the wild. The associated EPSS score remains extremely high, with a current value of 0.9444 and a recorded peak of 0.9735.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-50916
Vulnerability details
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support…
more
(EoTS) are not evaluated
- CWE(s)
- KEV Date Added
- 31 October 2023
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2023-46747 allows unauthenticated attackers with network access to bypass TMUI authentication via undisclosed/AJP smuggling requests, enabling arbitrary remote system command execution on BIG-IP, directly facilitating public-facing application exploitation (T1190), remote service exploitation (T1210), and Unix Shell abuse (T1059.004).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization decisions before granting access to TMUI functions, blocking the unauthenticated request paths used by CVE-2023-46747.
Requires unique identification and authentication of users before allowing access to the configuration utility, directly countering the authentication-bypass flaw.
Restricts network access to management ports and self-IP addresses, limiting the attack surface that enables remote unauthenticated command execution.