October 27, 2023 By Pierluigi Paganini
F5 warns customers of a critical vulnerability impacting BIG-IP that could lead to unauthenticated remote code execution.
F5 is warning customers about a critical security vulnerability, tracked as CVE-2023-46747 (CVSS 9.8), that impacts BIG-IP and could result in unauthenticated remote code execution.
The vulnerability resides in the configuration utility component, it was reported by Michael Weber and Thomas Hendrickson of Praetorian on October 4, 2023.
“This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.” reads the advisory published by F5.
The vulnerability affects the following versions:
| Product | Branch | Versions known to be vulnerable1 | Fixes introduced in | Severity | CVSSv3 score2 | Vulnerable component or feature |
| BIG-IP (all modules) | 17.x | 17.1.0 | 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG3 | Critical | 9.8 | Configuration utility |
| 16.x | 16.1.0 – 16.1.4 | 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG3 | ||||
| 15.x | 15.1.0 – 15.1.10 | 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG3 | ||||
| 14.x | 14.1.0 – 14.1.5 | 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG3 | ||||
| 13.x | 13.1.0 – 13.1.5 | 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG3 | ||||
| BIG-IQ Centralized Management | All | None | Not applicable | Not vulnerable | None | None |
