A critical remote code execution (RCE) vulnerability in F5's BIG-IP networking devices, tracked as CVE-2023-46747, is being actively exploited by threat actors. The flaw, which carries a CVSS severity score of 9.8 out of 10, allows an unauthenticated attacker to execute commands with root privileges, granting them complete control over a compromised system.
The vulnerability resides in the BIG-IP Configuration utility, also known as the Traffic Management User Interface (TMUI). Attackers can exploit the flaw by sending a specially crafted HTTP request to an exposed management port, bypassing authentication entirely. F5 disclosed the vulnerability in late October 2023, and security researchers published proof-of-concept (PoC) exploit code within hours, leading to immediate and widespread attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) quickly added CVE-2023-46747 to its Known Exploited Vulnerabilities (KEV) catalog, confirming the active threat and mandating federal agencies to patch their systems.
A successful attack gives adversaries a powerful foothold inside a target network. BIG-IP devices often sit at critical network junctions, managing application traffic. Compromise can lead to data exfiltration, internal network pivoting, deployment of ransomware, or manipulation of network traffic.
Administrators are strongly urged to apply the security updates provided by F5 immediately. For systems that cannot be patched right away, F5 recommends implementing workarounds that involve restricting access to the TMUI. This includes blocking access from the internet and limiting it to a secure management network, which authorized personnel often access using a VPN.
