CVE-2023-46748

What is F5 BIG-IP?

F5 BIG-IP is a widely deployed application delivery controller (ADC) used by enterprises, financial institutions, and government agencies for load balancing, SSL/TLS offloading, WAF capabilities, and application security. The BIG-IP Configuration Utility (TMUI) is its web-based management interface, typically exposed on a dedicated management port or the device's self IP addresses. BIG-IP's central role in network infrastructure makes it a high-value target — full compromise of a BIG-IP device gives attackers deep visibility into and control over traffic flowing through it.

Overview

CVE-2023-46748 is an SQL injection vulnerability in the F5 BIG-IP Configuration Utility that allows an authenticated attacker with network access to execute arbitrary operating system commands. In isolation it requires authentication, but when chained with CVE-2023-46747 — a critical authentication bypass in the same product — the combination enables fully unauthenticated remote code execution. Both vulnerabilities were disclosed and exploited together in October 2023.

Affected Versions

Technical Details

CVE-2023-46748 is an SQL injection flaw (CWE-89) in one of the Configuration Utility's backend request handlers. The attacker supplies a crafted SQL payload through a web parameter that is passed unsanitized to a database query. By constructing the payload appropriately, the attacker can cause the database layer to execute operating system commands (via database functions or procedures with OS access), resulting in arbitrary command execution on the BIG-IP appliance.

The companion vulnerability, CVE-2023-46747 (CVSS 9.8 CRITICAL), is an authentication bypass in the Configuration Utility's request routing — attackers send a crafted HTTP request that bypasses authentication entirely and creates or modifies a local privileged account. This authenticated account is then used to trigger CVE-2023-46748. Together, the two-step chain requires no credentials and delivers OS-level command execution accessible from the network.

Discovery

Researchers at Praetorian identified both CVE-2023-46747 and CVE-2023-46748, disclosed them responsibly to F5, and published a technical blog post and proof-of-concept code on the day F5 released its advisory (October 26, 2023).

Exploitation Context

Active exploitation in the wild was observed within days of the advisory. Attackers exploited the chain to create rogue administrator accounts, exfiltrate configuration data including credentials and private keys, and in some cases wipe or ransom devices. F5 BIG-IP devices are frequently exposed with management interfaces accessible from the internet, making the attack surface significant. CISA added the vulnerability to the KEV catalog on October 31, 2023, five days after disclosure.

Remediation

1. Apply F5 patches immediately — upgrade to a fixed version per the table above. This is the definitive fix.
2. Restrict management interface access — if patching is delayed, block access to the Configuration Utility (TMUI) from untrusted networks; restrict management to a dedicated out-of-band network.
3. Review BIG-IP user accounts for unauthorized additions — attackers exploiting this chain often create backdoor admin accounts.
4. Rotate all credentials stored on or managed by the BIG-IP device, including SSL private keys if the device performs SSL termination.
5. Check F5 iRules and configurations for unauthorized modifications that could indicate post-exploitation persistence.
6. Apply the iApp-based workaround described in K000137365 if immediate patching is not possible — the workaround blocks the vulnerable endpoint but does not fix the underlying flaw.