CVE-2023-46748
Published: 26 October 2023
Summary
CVE-2023-46748 is a high-severity SQL Injection (CWE-89) vulnerability in F5 Big-Ip Access Policy Manager. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 10.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
An authenticated SQL injection vulnerability tracked as CVE-2023-46748 affects the BIG-IP Configuration utility. The flaw, assigned CWE-89 and carrying a CVSS 3.1 score of 8.8, resides in F5 BIG-IP software and permits an attacker who already possesses valid credentials and network reachability to the management interface to execute arbitrary system commands.
An authenticated attacker with network access to the Configuration utility through the BIG-IP management port or self IP addresses can leverage the injection to run operating-system commands on the affected device. The attack requires no user interaction and can be performed remotely once the attacker has obtained valid credentials.
F5 has published remediation guidance under article K000137365, and the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog. A companion report notes that the issue has been observed in active exploit chains. The associated EPSS score has remained flat at 0.0435 since disclosure, indicating steady but not sharply increasing exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-50917
Vulnerability details
An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software…
more
versions which have reached End of Technical Support (EoTS) are not evaluated
- CWE(s)
- KEV Date Added
- 31 October 2023
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated SQL injection in BIG-IP Configuration utility enables arbitrary system command execution, facilitating exploitation for privilege escalation (T1068) and exploitation of remote services (T1210).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the F5-supplied patches that eliminate the SQL injection flaw in the Configuration utility.
Mandates input validation on all user-supplied data entering the Configuration utility, blocking the SQL injection that leads to OS command execution.
Enforces boundary protection rules that can restrict network access to the BIG-IP management port and self-IP addresses, reducing the attack surface for authenticated exploitation.