Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2023-46747

CVE-2023-46747: F5 BIG-IP APM Auth Bypass Vulnerability

CVE-2023-46747 is an authentication bypass flaw in F5 BIG-IP Access Policy Manager that allows attackers to execute arbitrary system commands via the management interface. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Updated:

CVE-2023-46747 Overview

CVE-2023-46747 is an authentication bypass vulnerability in the F5 BIG-IP Traffic Management User Interface (TMUI) configuration utility. Undisclosed requests can bypass authentication, allowing an unauthenticated attacker with network access to the management port or self IP addresses to execute arbitrary system commands. The flaw is rooted in an AJP protocol smuggling condition between the front-end Apache server and the back-end Tomcat servlet. F5 published the advisory on October 26, 2023, and the issue was added to the CISA Known Exploited Vulnerabilities catalog shortly thereafter. The vulnerability is tracked under [CWE-288] (Authentication Bypass Using an Alternate Path) and [CWE-306] (Missing Authentication for Critical Function).

Critical Impact

Unauthenticated remote attackers can fully compromise BIG-IP appliances, executing root-level commands on devices that typically front sensitive enterprise traffic.

Affected Products

  • F5 BIG-IP Local Traffic Manager (LTM), Access Policy Manager (APM), and Advanced WAF
  • F5 BIG-IP Advanced Firewall Manager (AFM), DDoS Hybrid Defender, and SSL Orchestrator
  • F5 BIG-IP Global Traffic Manager (GTM), DNS, ASM, Analytics, Link Controller, and related modules

Discovery Timeline

  • 2023-10-26 - CVE-2023-46747 published to NVD and F5 advisory K000137353 released
  • 2025-10-27 - Last updated in NVD database

Technical Details for CVE-2023-46747

Vulnerability Analysis

The BIG-IP configuration utility fronts a Java Tomcat back-end via an Apache mod_proxy reverse proxy that communicates over the Apache JServ Protocol (AJP). The vulnerability arises because the front-end Apache server forwards client-controlled headers in a way that allows attackers to smuggle attacker-controlled AJP attributes into the Tomcat back-end. By manipulating AJP request attributes, an attacker can set authenticated user context and reach administrative endpoints without valid credentials.

Once authentication is bypassed, the attacker reaches privileged management endpoints that accept commands executed as root by the TMUI back-end. Chained with a command execution sink, this yields full unauthenticated remote code execution on the appliance. BIG-IP devices commonly terminate TLS, inspect application traffic, and broker access to internal networks, making compromise highly consequential.

Root Cause

The root cause is an inconsistent trust boundary between Apache and Tomcat. Apache forwards headers and attributes over AJP without sanitizing fields that Tomcat treats as authoritative for authentication state. This is a classic request smuggling pattern combined with [CWE-288] alternate-path authentication bypass.

Attack Vector

The attack requires only network reachability to the BIG-IP management interface or any self IP that exposes the configuration utility. The attacker sends crafted HTTP requests containing manipulated AJP-related headers to the TMUI, bypasses session validation, and invokes administrative bash command execution endpoints. No user interaction or prior credentials are required.

A public exploit demonstrating AJP smuggling against TMUI is documented at Packet Storm Security. For exploitation details and context, see the SecPod analysis.

Detection Methods for CVE-2023-46747

Indicators of Compromise

  • Unexpected POST requests to TMUI endpoints such as /mgmt/tm/util/bash or /tmui/login.jsp from external sources
  • Creation of new administrative users in BIG-IP audit logs (/var/log/audit) without corresponding change tickets
  • Outbound connections from the BIG-IP appliance to unfamiliar hosts, indicating attacker-controlled command and control
  • Modified or newly created files in /tmp or /var/tmp on the appliance following anomalous TMUI access

Detection Strategies

  • Inspect Apache access logs on the BIG-IP for requests containing suspicious headers or AJP attribute manipulation patterns
  • Alert on any successful authenticated TMUI session that lacks a preceding valid login event in the audit trail
  • Correlate management interface access with allowed source IP allowlists and flag deviations

Monitoring Recommendations

  • Forward BIG-IP audit logs, TMUI access logs, and REST API logs to a centralized SIEM for correlation and retention
  • Monitor for the creation of TMSH command users, modifications to /config/bigip.conf, and unexpected service restarts
  • Use network telemetry to detect any direct internet exposure of TCP/443 on management interfaces

How to Mitigate CVE-2023-46747

Immediate Actions Required

  • Apply the engineering hotfix or upgrade to a fixed release as documented in F5 article K000137353
  • Restrict TMUI and management interface access to trusted administrative networks only
  • Audit BIG-IP appliances for unauthorized user accounts, configuration changes, and suspicious processes
  • Rotate administrative credentials and API tokens on any device that may have been exposed

Patch Information

F5 released fixed versions for BIG-IP 17.x, 16.x, 15.x, 14.x, and 13.x along with a mitigation shell script for unpatched systems. End-of-Technical-Support versions were not evaluated and should be upgraded. Full version mapping is provided in the F5 Knowledge Base Article. The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, making prompt remediation mandatory for U.S. federal agencies.

Workarounds

  • Block all external access to the TMUI configuration utility using upstream firewalls or packet filters
  • Run the F5-provided mitigation script that disables the vulnerable AJP request paths on supported versions
  • Disable the configuration utility entirely on appliances that are managed exclusively through BIG-IQ or automation tooling
bash
# Restrict TMUI access to a management subnet using tmsh
tmsh modify sys httpd allow replace-all-with { 10.0.0.0/24 127.0.0.0/8 }
tmsh save sys config

# Verify current allow list
tmsh list sys httpd allow

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.