CVE-2023-46747 Overview
CVE-2023-46747 is a critical authentication bypass vulnerability affecting F5 BIG-IP systems that allows remote attackers to execute arbitrary system commands. The vulnerability exists in the configuration utility (TMUI) and can be exploited by attackers with network access to the BIG-IP management port or self IP addresses. This flaw enables unauthenticated remote command execution through specially crafted requests that bypass the authentication mechanisms of the Traffic Management User Interface.
Critical Impact
This vulnerability allows unauthenticated attackers with network access to BIG-IP management interfaces to completely compromise affected systems through arbitrary command execution. Active exploitation has been confirmed in the wild and the vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
Affected Products
- F5 BIG-IP Access Policy Manager
- F5 BIG-IP Local Traffic Manager
- F5 BIG-IP Application Security Manager
- F5 BIG-IP Advanced Firewall Manager
- F5 BIG-IP Advanced Web Application Firewall
- F5 BIG-IP Carrier-Grade NAT
- F5 BIG-IP DDoS Hybrid Defender
- F5 BIG-IP SSL Orchestrator
- F5 BIG-IP Domain Name System
- F5 BIG-IP Policy Enforcement Manager
- F5 BIG-IP Global Traffic Manager
- F5 BIG-IP Analytics
- F5 BIG-IP WebAccelerator
- F5 BIG-IP Link Controller
- F5 BIG-IP Application Acceleration Manager
- F5 BIG-IP Application Visibility and Reporting
- F5 BIG-IP Fraud Protection Services
- F5 BIG-IP WebSafe
- F5 BIG-IP Automation Toolchain
- F5 BIG-IP Container Ingress Services
Discovery Timeline
- October 26, 2023 - CVE-2023-46747 published to NVD
- October 27, 2025 - Last updated in NVD database
Technical Details for CVE-2023-46747
Vulnerability Analysis
This authentication bypass vulnerability stems from improper authentication handling in the F5 BIG-IP Traffic Management User Interface (TMUI). The flaw allows attackers to send undisclosed requests that circumvent the configuration utility's authentication controls. Once authentication is bypassed, attackers can leverage the compromised session to execute arbitrary system commands on the underlying BIG-IP appliance with elevated privileges.
The vulnerability is particularly dangerous because BIG-IP devices typically sit at critical network boundaries, handling traffic management, load balancing, security enforcement, and access control. Successful exploitation grants attackers a foothold in a highly privileged network position, enabling lateral movement, data exfiltration, and disruption of critical network services.
Root Cause
The root cause of CVE-2023-46747 involves two related weaknesses: Authentication Bypass Using an Alternate Path or Channel (CWE-288) and Missing Authentication for Critical Function (CWE-306). The vulnerability exists because the TMUI configuration utility fails to properly validate authentication for certain request types, allowing attackers to access administrative functions through an alternate authentication path. This implementation flaw enables the crafting of requests that completely bypass the intended authentication mechanisms.
Attack Vector
The attack vector for this vulnerability is network-based, requiring only that an attacker has network connectivity to either the BIG-IP management port or self IP addresses where the configuration utility is accessible. The exploit leverages AJP (Apache JServ Protocol) smuggling techniques to bypass authentication controls in the TMUI. Once the authentication bypass is achieved, the attacker can execute arbitrary commands with root-level privileges on the BIG-IP system. The attack does not require any user interaction, credentials, or prior authentication, making it highly exploitable in environments where management interfaces are exposed.
The vulnerability has been actively exploited in the wild and has been used as part of exploit chains to compromise BIG-IP infrastructure. Organizations should assume that any internet-exposed BIG-IP management interfaces are high-priority targets.
Detection Methods for CVE-2023-46747
Indicators of Compromise
- Unusual HTTP requests to the /tmui/ path on BIG-IP management interfaces, particularly those containing AJP smuggling patterns
- Unexpected process spawning or command execution originating from the TMUI or Apache/httpd processes
- Authentication bypass attempts visible in /var/log/ltm or /var/log/audit logs without corresponding valid login events
- Creation of new administrative accounts or modification of existing account permissions without authorized changes
Detection Strategies
- Monitor network traffic to BIG-IP management ports (typically 443/tcp for TMUI) for anomalous request patterns indicative of AJP smuggling attempts
- Implement detection rules for requests attempting to access TMUI administrative functions without proper session authentication
- Deploy SentinelOne Singularity to detect and alert on suspicious command execution patterns originating from web server processes on BIG-IP systems
- Analyze Apache/httpd access logs for unusual request sequences targeting the configuration utility endpoints
Monitoring Recommendations
- Enable comprehensive logging on all BIG-IP management interfaces and forward logs to a centralized SIEM for correlation and analysis
- Implement network segmentation monitoring to detect unauthorized access attempts to management networks
- Configure alerting for any administrative actions performed on BIG-IP systems outside of approved change windows
- Utilize SentinelOne's network visibility capabilities to monitor traffic flows to and from BIG-IP management interfaces
How to Mitigate CVE-2023-46747
Immediate Actions Required
- Apply the security patches provided by F5 immediately for all affected BIG-IP versions as documented in F5 Support Article K000137353
- Restrict network access to BIG-IP management interfaces to trusted administrative networks only using firewall rules and network segmentation
- Audit all BIG-IP systems for indicators of compromise, including unauthorized accounts, unexpected configuration changes, and suspicious log entries
- If patching is not immediately possible, implement the temporary mitigations recommended by F5 to reduce exposure
Patch Information
F5 has released security updates to address CVE-2023-46747 across all supported BIG-IP product versions. Organizations should consult the official F5 Support Article K000137353 for specific version information and patching guidance. Note that software versions that have reached End of Technical Support (EoTS) are not evaluated and organizations using such versions should prioritize upgrading to supported releases.
Workarounds
- Block all external access to BIG-IP management interfaces by ensuring the management port and self IPs are not accessible from untrusted networks
- Implement IP allowlisting for the configuration utility access, restricting connections to known administrator IP addresses only
- Disable the configuration utility if it is not required for operations, eliminating the attack surface entirely
- Deploy web application firewall rules to detect and block AJP smuggling attempts targeting BIG-IP management interfaces
# Example: Restrict TMUI access to specific management network
# Add to BIG-IP configuration to limit management access
# Consult F5 documentation for your specific version
# Create a self IP port lockdown to restrict access
tmsh modify net self <self-ip-name> port-lockdown allow-custom
tmsh modify net self <self-ip-name> allow-service add { tcp:443 }
# Apply network firewall rules to restrict management access
# Only allow trusted admin networks to reach management interface
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
