December 6, 2023

F5 has warned its customers about a critical security vulnerability that impacts BIG-IP and could result in unauthenticated remote code execution.

The vulnerability tracked as CVE-2023-46747 with a CVSS score of 9.8 deemed to be a critical, resides in the configuration utility component.

As per the F5 advisory, this vulnerability may allow an  unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.


As a result of our research, we were able to identify an authentication bypass issue that led to the complete compromise of an F5 system with the Traffic Management User Interface (TMUI) exposed. The flaw was assigned CVE-2023-46747 and is closely related to CVE-2022-26377. While the issue we highlighted in the F5 TMUI portal was a critical risk issue and an unknown vulnerability, you can still take steps to protect yourself. After the two previous RCEs in the TMUI service, the interface itself should not be exposed to the Internet in the first place.

The vulnerability affects the following versions:

  • 17.1.0 (Fixed in + Hotfix-BIGIP-
  • 16.1.0 – 16.1.4 (Fixed in + Hotfix-BIGIP-
  • 15.1.0 – 15.1.10 (Fixed in + Hotfix-BIGIP-
  • 14.1.0 – 14.1.5 (Fixed in + Hotfix-BIGIP-
  • 13.1.0 – 13.1.5 (Fixed in + Hotfix-BIGIP-

F5 has released a shell script for versions 14.1.0 and later. The company pointed out that the script must not be used on any BIG-IP version prior to 14.1.0 because it will prevent the Configuration utility from starting.


Until it is possible to install a fixed version, you can use the following sections as temporary mitigations.These mitigations restrict access to the Configuration utility to only trusted networks or devices, thereby limiting the attack surface.

  • Block Configuration utility access through self IP addresses
  • Block Configuration utility access through the management interface“

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.