F5 released two advisories addressing vulnerabilities in the configuration program of BIG-IP (all modules). The first vulnerability, CVE-2023-46747, allows remote attackers with access to the Traffic Management User Interface (TMUI) to execute arbitrary code with administrator privileges. It received a critical CVSS rating of 9.8.
The second vulnerability, CVE-2023-46748, enables an authenticated attacker with TMUI access to perform SQL injection, allowing the execution of system commands. It was rated as “high” with a CVSS score of 8.8.
Security researchers at Praetorian have published a detailed technical report on CVE-2023-46747. The report highlights the similarity of this vulnerability to CVE-2020-5902, which was also exploited shortly after discovery, and details how the security gap was identified. The exploitation of CVE-2023-46747 is made possible by an older vulnerability, CVE-2022-26377. Although F5 acknowledged this in an advisory, it was not patched. CVE-2022-26377 allows for Request Smuggling and affects the Apache version used in BIG-IP.
Tenable, an IT security company, and F5 advisories have already reported observed exploitations of CVE-2023-46747 and CVE-2023-46748. Additionally, reference is made to a publicly available proof-of-concept.
https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2023/2023-283789-1032.html