Security Alert: Active Exploitation of F5 BIG-IP Vulnerabilities

F5 released two advisories addressing vulnerabilities in the configuration program of BIG-IP (all modules). The first vulnerability, CVE-2023-46747, allows remote attackers with access to the Traffic Management User Interface (TMUI) to execute arbitrary code with administrator privileges. It received a critical CVSS rating of 9.8.

The second vulnerability, CVE-2023-46748, enables an authenticated attacker with TMUI access to perform SQL injection, allowing the execution of system commands. It was rated as “high” with a CVSS score of 8.8.

Security researchers at Praetorian have published a detailed technical report on CVE-2023-46747. The report highlights the similarity of this vulnerability to CVE-2020-5902, which was also exploited shortly after discovery, and details how the security gap was identified. The exploitation of CVE-2023-46747 is made possible by an older vulnerability, CVE-2022-26377. Although F5 acknowledged this in an advisory, it was not patched. CVE-2022-26377 allows for Request Smuggling and affects the Apache version used in BIG-IP.

Tenable, an IT security company, and F5 advisories have already reported observed exploitations of CVE-2023-46747 and CVE-2023-46748. Additionally, reference is made to a publicly available proof-of-concept.