CVE-2023-46747

What is F5 BIG-IP?

F5 BIG-IP is an application delivery controller (ADC) and load balancer platform deployed at the network edge of enterprises, financial institutions, and government agencies. BIG-IP handles TLS termination, load balancing, web application firewall (WAF) functions, and application acceleration for high-traffic environments. The BIG-IP Configuration utility (TMUI — Traffic Management User Interface) is the web-based management console for administering BIG-IP devices. Because BIG-IP devices sit in front of all web application traffic, their compromise gives an attacker visibility into decrypted traffic, the ability to modify application responses, and a pivot point into the internal network.

Overview

CVE-2023-46747 is a critical authentication bypass vulnerability in F5 BIG-IP's Configuration utility (TMUI), allowing unauthenticated access to the administrative interface through HTTP request smuggling or alternate path exploitation. Discovered by Praetorian researchers Thomas Hendrickson and Michael Weber, the vulnerability allows an unauthenticated attacker with network access to the BIG-IP management port to bypass authentication and interact with the administrative interface. When chained with CVE-2023-46748 (an authenticated SQL injection in TMUI), the combined attack achieves unauthenticated remote code execution as root on the BIG-IP management plane.

Affected Versions

Technical Details

CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The BIG-IP TMUI processes HTTP requests through an Apache proxy that forwards them to the backend management application. A flaw in how the proxy handles certain HTTP request formats allows requests to bypass the authentication layer and reach protected backend endpoints directly. An unauthenticated attacker can craft requests that smuggle traffic past the authentication check to interact with TMUI's privileged functionality.

When chained with CVE-2023-46748 (SQL injection in TMUI), the complete attack chain is:

1. Use CVE-2023-46747 to bypass authentication (no credentials needed)
2. Use CVE-2023-46748 to inject SQL via the unauthenticated session
3. Execute OS commands via SQL (xp_cmdshell equivalent) to achieve RCE as root on the BIG-IP management plane

This gives the attacker full control of the BIG-IP device — including the ability to intercept all proxied application traffic, modify WAF rules, exfiltrate TLS private keys, and pivot into backend application servers.

Discovery

Discovered by Thomas Hendrickson and Michael Weber at Praetorian security, who reported the vulnerability to F5 and published technical details following the patch. Praetorian confirmed active exploitation was occurring at the time of disclosure. F5 credited Praetorian with discovery in the advisory.

Exploitation Context

F5 BIG-IP devices are high-value targets for both espionage and ransomware actors due to their privileged network position. BIG-IP instances handling TLS termination for banking, healthcare, and government applications are particularly attractive because compromise provides access to decrypted traffic for all protected applications. Following disclosure, ransomware groups rapidly incorporated the CVE-2023-46747 + CVE-2023-46748 chain, targeting internet-exposed BIG-IP management interfaces that had not been patched. Thousands of BIG-IP devices expose their management interface to the internet, making this vulnerability highly exploitable at scale.

Remediation

1. Apply F5 patches immediately per advisory K000137353 — update to fixed versions for your BIG-IP software branch.
2. Restrict access to the BIG-IP management interface (port 443/TMUI) to trusted management networks only — never expose TMUI to the internet.
3. Also patch CVE-2023-46748 (SQL injection in TMUI) — both vulnerabilities are fixed in the same update and form a combined RCE chain.
4. Check BIG-IP access logs for exploitation indicators: unexpected POST requests to TMUI endpoints from unusual source IPs, unauthorized config changes, new user accounts, or unexpected traffic routing modifications.
5. If compromise is suspected, treat the BIG-IP device and all applications it proxies as potentially compromised — the attacker may have harvested TLS private keys, intercepted decrypted traffic, or modified application behavior.
6. Review BIG-IP iRules and virtual server configurations for unauthorized modifications that could indicate persistent access or traffic interception.