Cyber Resilience

CVE-2023-46748

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 26 October 2023

Published
26 October 2023
Modified
27 October 2025
KEV Added
31 October 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0435 89.2th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46748 is a high-severity SQL Injection (CWE-89) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 10.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

An authenticated SQL injection vulnerability tracked as CVE-2023-46748 affects the BIG-IP Configuration utility. The flaw, assigned CWE-89 and carrying a CVSS 3.1 score of 8.8, resides in F5 BIG-IP software and permits an attacker who already possesses valid credentials and network reachability to the management interface to execute arbitrary system commands.

An authenticated attacker with network access to the Configuration utility through the BIG-IP management port or self IP addresses can leverage the injection to run operating-system commands on the affected device. The attack requires no user interaction and can be performed remotely once the attacker has obtained valid credentials.

F5 has published remediation guidance under article K000137365, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog. A companion report notes that the issue has been observed in active exploit chains. The associated EPSS score has remained flat at 0.0435 since disclosure, indicating steady but not sharply increasing exploitation interest.

EU & UK References

Vulnerability details

An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software…

more

versions which have reached End of Technical Support (EoTS) are not evaluated

CWE(s)
KEV Date Added
31 October 2023

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Authenticated SQL injection in BIG-IP Configuration utility enables arbitrary system command execution, facilitating exploitation for privilege escalation (T1068) and exploitation of remote services (T1210).

Affected Assets

f5
big-ip access policy manager
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip advanced firewall manager
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip carrier-grade nat
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip ddos hybrid defender
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip ssl orchestrator
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip local traffic manager
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip policy enforcement manager
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip automation toolchain
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip container ingress services
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
f5
big-ip advanced web application firewall
13.1.0 — 13.1.5 · 14.1.0 — 14.1.5 · 15.1.0 — 15.1.10
+10 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the F5-supplied patches that eliminate the SQL injection flaw in the Configuration utility.

prevent

Mandates input validation on all user-supplied data entering the Configuration utility, blocking the SQL injection that leads to OS command execution.

prevent

Enforces boundary protection rules that can restrict network access to the BIG-IP management port and self-IP addresses, reducing the attack surface for authenticated exploitation.

References