CVE-2023-46747: Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

KEVITWEXPLOIT

CISA Known Exploited Vulnerabilitydue 2023-11-21

Exploited in the wild

Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Affected

125 ranges· showing 25

Vendor	Product	Version range	Fixed in
f5	big-ip	>= 13.1.0 < *	*
f5	big-ip	>= 14.1.0 < *	*
f5	big-ip	>= 15.1.0 < *	*
f5	big-ip	>= 16.1.0 < *	*
f5	big-ip	>= 17.1.0 < *	*
f5	big-ip_aam	—	—
f5	big-ip_access_policy_manager	13.1.0 – 13.1.5	—
f5	big-ip_access_policy_manager	14.1.0 – 14.1.5	—
f5	big-ip_access_policy_manager	15.1.0 – 15.1.10	—
f5	big-ip_access_policy_manager	16.1.0 – 16.1.4	—
f5	big-ip_access_policy_manager	17.1.0 – 17.1.1	—
f5	big-ip_advanced_firewall_manager	13.1.0 – 13.1.5	—
f5	big-ip_advanced_firewall_manager	14.1.0 – 14.1.5	—
f5	big-ip_advanced_firewall_manager	15.1.0 – 15.1.10	—
f5	big-ip_advanced_firewall_manager	16.1.0 – 16.1.4	—
f5	big-ip_advanced_firewall_manager	17.1.0 – 17.1.1	—
f5	big-ip_advanced_waf	—	—
f5	big-ip_advanced_web_application_firewall	13.1.0 – 13.1.5	—
f5	big-ip_advanced_web_application_firewall	14.1.0 – 14.1.5	—
f5	big-ip_advanced_web_application_firewall	15.1.0 – 15.1.10	—
f5	big-ip_advanced_web_application_firewall	16.1.0 – 16.1.4	—
f5	big-ip_advanced_web_application_firewall	17.1.0 – 17.1.1	—
f5	big-ip_afm	—	—
f5	big-ip_analytics	—	—
f5	big-ip_analytics	13.1.0 – 13.1.5	—

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vulncheck9.8CRITICAL

cisa9.8CRITICAL