What is CVE-2023-46747?

CVE-2023-46747 is a critical remote code execution (RCE) vulnerability in the F5 BIG-IP Access Policy Manager (APM). It allows an unauthenticated attacker to execute arbitrary commands on a vulnerable system by sending a specially crafted HTTP request, potentially leading to a full system takeover.

How do I know if my F5 BIG-IP device is vulnerable?

Your device is vulnerable if it is running any of the following BIG-IP versions: 17.1.0, 16.1.0 - 16.1.3, 15.1.0 - 15.1.8, or 14.1.0 - 14.1.5. You should check your device version and apply the appropriate security hotfix provided by F5.

What is the most important first step if my device is affected?

The most critical step is to apply the security patches (hotfixes) provided by F5 immediately. After patching, you must conduct a thorough investigation to search for any signs of compromise, such as webshells or suspicious network activity, as the vulnerability was exploited before patches were widely applied.

What is a webshell and why is it dangerous?

A webshell is a malicious script uploaded to a web server that gives an attacker a backdoor. It allows them to execute system commands, browse files, and exfiltrate data remotely. It provides persistent access, meaning the attacker can regain control even if the original vulnerability is patched.

Is there a workaround if I cannot patch my system right away?

Yes, F5 has provided a temporary mitigation that involves modifying the system's configuration. However, this is not a substitute for patching, as it may affect system performance or functionality. Applying the official security update is the only permanent solution.

Hackers now exploit critical F5 BIG-IP flaw in attacks, patch now

Urgent warning issued as attackers leverage upgraded F5 flaw for full system compromise

A high-severity vulnerability in F5's BIG-IP product suite has been reclassified to critical after security researchers and F5 itself observed active exploitation in the wild. The flaw, tracked as CVE-2023-46747, has been upgraded from a potential denial-of-service (DoS) issue to a full-blown unauthenticated remote code execution (RCE) vulnerability, enabling attackers to take complete control of affected network appliances.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the immediate and significant threat it poses to organizations worldwide (CISA, 2023). Attackers are reportedly using the exploit to deploy webshells, establishing persistent access to compromised networks.

From DoS to RCE: A dangerous escalation

F5 initially disclosed CVE-2023-46747 on October 25, 2023, with a CVSS score of 8.0, classifying it as a request smuggling flaw that could lead to a denial-of-service condition in the BIG-IP Access Policy Manager (APM) component. However, on November 6, the company updated its advisory, elevating the severity to critical with a CVSS score of 9.8 out of 10. This drastic change followed the discovery that the flaw could be abused to execute arbitrary commands without authentication (F5, 2023).

F5 BIG-IP devices are application delivery controllers (ADCs) used by thousands of major corporations, governments, and service providers to manage network traffic, balance application loads, and enforce security policies. Their position at the edge of the network makes them a high-value target for threat actors seeking an initial foothold into a target's infrastructure.

Technical deep dive: How the exploit works

The vulnerability resides in the BIG-IP APM module, which handles access control and authentication for applications. According to F5's advisory, an unauthenticated attacker can send a specially crafted HTTP request to a vulnerable system. This request exploits an undisclosed flaw that, when combined with a virtual server configured with an unauthenticated iRules endpoint, bypasses authentication controls.

Successful exploitation allows the attacker to execute system commands with the privileges of the BIG-IP's underlying operating system. Security researchers at Rapid7 noted that this class of vulnerability is particularly dangerous, as it gives attackers direct control over a core piece of network infrastructure (Rapid7, 2023). The primary post-exploitation activity observed to date is the installation of webshells—malicious scripts that provide attackers with a persistent backdoor for remote command execution and data exfiltration.

The affected BIG-IP versions are:

17.1.0
16.1.0 – 16.1.3
15.1.0 – 15.1.8
14.1.0 – 14.1.5

This is not the first time F5 devices have been targeted. Previous critical vulnerabilities like CVE-2020-5902 and CVE-2022-1388 were also widely exploited, demonstrating a consistent pattern of threat actors targeting these powerful appliances.

Impact assessment: A gateway to the network

The impact of a successful exploit against CVE-2023-46747 is severe. An attacker who gains control of a BIG-IP device can:

Intercept and decrypt traffic: Depending on the configuration, the device may handle sensitive traffic, which the attacker could then monitor or manipulate.
Move laterally: A compromised BIG-IP appliance is an ideal pivot point for an attacker to move deeper into an organization's internal network, targeting databases, domain controllers, and other critical assets.
Exfiltrate data: Attackers can steal credentials, application data, and other sensitive information stored on or transiting through the device.
Launch further attacks: The compromised device can be used to host malware, launch attacks against other organizations, or become part of a botnet.

The deployment of webshells indicates that attackers are not interested in simple disruption but are establishing long-term persistence. Even if a device is patched, it may remain compromised if the attacker's backdoor is not found and removed. This makes thorough incident response and forensic analysis essential for any organization that discovers a vulnerable system.

How to protect yourself

Immediate action is required to mitigate the risk from CVE-2023-46747. System administrators and security teams should prioritize the following steps.

1. Patch immediately

The most effective defense is to apply the security hotfixes released by F5. The patched versions are:

BIG-IP 17.1.0.3+
BIG-IP 16.1.4.1+
BIG-IP 15.1.8.2+
BIG-IP 14.1.5.6+

F5 strongly recommends applying these updates as soon as possible. Organizations should not assume they are safe if they do not directly expose the management interface to the internet; the vulnerability is exploitable via a data plane virtual server.

2. Hunt for indicators of compromise (IOCs)

If your devices were running a vulnerable version, you must assume they may have been compromised. Proactively hunt for signs of an intrusion:

Check for webshells: Look for unexpected or suspicious files (e.g., .jsp, .php, .aspx) in web-accessible directories.
Review system logs: Scrutinize logs for unusual command executions, authentication failures, or connections from unknown IP addresses.
Monitor network traffic: Look for anomalous outbound connections from your BIG-IP devices, as this could indicate data exfiltration or command-and-control communication. A reliable VPN service can secure legitimate administrative traffic, making malicious outbound connections easier to spot.

3. Apply temporary mitigations (if patching is delayed)

While patching is the only true solution, F5 has provided a temporary mitigation for those who cannot immediately update. This involves modifying the BIG-IP system's configuration to block access to the vulnerable component. However, F5 warns that this workaround may impact system functionality and should only be considered a stopgap measure.

The active exploitation of this flaw is a stark reminder that edge network devices are prime targets. Administrators must remain vigilant, prioritize patching, and be prepared to conduct thorough incident response when critical vulnerabilities are disclosed.