BIG-IP Configuration utility authenticated SQL injection vulnerability
Key Information
- Vendor
- F5
- Status
- BIG-IP
- Vendor
- CVE Published:
- 26 October 2023
Badges
Summary
An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-46748 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
BIG-IP < 17.1.0
BIG-IP < 16.1.0
BIG-IP < 15.1.0
News Articles
Help Net Security CVE-2023-46747CVE-2023-46748F5 BIG-IP vulnerabilities leveraged by attackers: What to do? - Help Net Security
The BIG-IP vulnerabilities (CVE-2023-46747, CVE-2023-46748) F5 has recently released hotfixes for are being exploited by attackers.
11 months ago
Security Affairs CVE-2023-46748CVE-2023-46747CISA adds two F5 BIG-IP flaws to its Known Exploited Vulnerabilities catalog
US CISA added two vulnerabilities, tracked as CVE-2023-46747 and CVE-2023-46748, in BIG-IP to its Known Exploited Vulnerabilities catalog.
11 months ago
CVSS V3.1
Timeline
First article discovered by Security Affairs
- 👾
Exploit exists.
Vulnerability published.
Vulnerability Reserved.