BIG-IP Configuration utility authenticated SQL injection vulnerability
CVE-2023-46748
Key Information
- Vendor
- F5
- Status
- BIG-IP
- Vendor
- CVE Published:
- 26 October 2023
Badges
Summary
An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which
may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-46748 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
BIG-IP < 17.1.0
BIG-IP < 16.1.0
BIG-IP < 15.1.0
News Articles
Help Net SecurityF5 BIG-IP vulnerabilities leveraged by attackers: What to do? - Help Net Security
The BIG-IP vulnerabilities (CVE-2023-46747, CVE-2023-46748) F5 has recently released hotfixes for are being exploited by attackers.
1 year ago
Security AffairsCISA adds two F5 BIG-IP flaws to its Known Exploited Vulnerabilities catalog
US CISA added two vulnerabilities, tracked as CVE-2023-46747 and CVE-2023-46748, in BIG-IP to its Known Exploited Vulnerabilities catalog.
1 year ago
Refferences
CVSS V3.1
Timeline
First article discovered by Security Affairs
- 👾
Exploit known to exist
CISA Reported
Vulnerability published
Vulnerability Reserved