Voyager18 (research)

How to fix CVE-2023-46747 in F5 BIG-IP

The critical CVE-2023-46747 has been found in F5's BIG-IP systems. Here's everything you need to know, including how to fix it.

Orani Amroussi | November 08, 2023

This blog has been updated to include new-found instances of exploitation of this vulnerability.

A critical vulnerability identified as CVE-2023-46747 has been discovered in F5’s BIG-IP systems. This vulnerability poses a significant risk as it allows unauthorized attackers to bypass authentication and execute system commands. Immediate action is advised.


What is CVE-2023-46747?

CVE-2023-46747 is a critical authentication bypass vulnerability affecting F5 BIG-IP systems. The vulnerability is particularly concerning because it allows an unauthenticated attacker to execute remote code on the affected devices. The vulnerability has been assigned a CVSSv3 score of 9.8, indicating its severe impact.

Does it affect me?

If your organization uses F5 BIG-IP systems and exposes the Traffic Management User Interface (TMUI), you are at risk. The vulnerability affects various versions of BIG-IP, and immediate patching is strongly recommended.



Has CVE-2023-46747 been actively exploited in the wild?

As of 8th November 2023, F5 has warned BIG-IP admins that “skilled hackers” are having success exploiting the vulnerability to access systems, then erasing signs of their access and achieve stealthy code execution

Fixing CVE-2023-46747

F5 has released security patches to address this vulnerability. Organizations are strongly advised to apply these patches as soon as possible. If immediate patching is not feasible, F5 has provided some mitigation guidance, which can be found in their article K000137353. Note that the mitigation script should not be used on BIG-IP versions prior to 14.1.0 and is not compatible with systems using the FIPS 140-2 Compliant Mode license.


Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Announcing the Attack Path Graph for end-to-end risk prioritization
  2. Can you trust ChatGPT’s package recommendations?
  3. MITRE ATTACK framework – Mapping techniques to CVEs  
  4. Exploit maturity: an introduction  
  5. IBM’s Cost of a Data Breach report 2023 – what we learned

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy