BIG-IP Configuration utility authenticated SQL injection vulnerability
CVE-2023-46748
Key Information:
Badges
Summary
An authenticated SQL injection vulnerability exists within the F5 BIG-IP Configuration utility, potentially allowing an attacker with network access to exploit the Configuration utility via the management port or self IP addresses. This threat enables execution of arbitrary system commands, requiring only authenticated access which heightens the risk profile for organizations relying on affected versions of this critical network device.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
BIG-IP 17.1.0
BIG-IP 16.1.0
BIG-IP 15.1.0
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles
Help Net SecurityF5 BIG-IP vulnerabilities leveraged by attackers: What to do? - Help Net Security
The BIG-IP vulnerabilities (CVE-2023-46747, CVE-2023-46748) F5 has recently released hotfixes for are being exploited by attackers.
Security AffairsCISA adds two F5 BIG-IP flaws to its Known Exploited Vulnerabilities catalog
US CISA added two vulnerabilities, tracked as CVE-2023-46747 and CVE-2023-46748, in BIG-IP to its Known Exploited Vulnerabilities catalog.
References
CVSS V3.1
Timeline
- 📰
First article discovered by Security Affairs
- 👾
Exploit known to exist
- 🦅
CISA Reported
Vulnerability published
Vulnerability Reserved