Critical F5 BIG-IP Flaw Allows Remote Code Execution Attacks

A critical security flaw existed in the F5 BIG-IP Configuration utility that allows an adversary to execute arbitrary commands. In worst-case exploits, an attacker having prior access to the target network may easily exploit the vulnerability. F5 has released the patched versions, urging users to upgrade accordingly.

F5 BIG-IP RCE Flaw

In a recent advisory, F5 disclosed a critical severity vulnerability affecting its BIG-IP systems.

BIG-IP is a dedicated hardware and software solutions suite facilitating application access control, availability, and security. Given its useful functionalities, BIG-IP boasts a huge customer base, which also indicates the extent of vulnerable users in case of any BIG-IP exploit.

As explained in the advisory, the vulnerability typically affected BIG-IP systems with Traffic Management User Interface (TMUI) exposed. However, an attacker with prior access to the target network via the management port of self IP addresses could also exploit the flaw. Once done, the adversary could execute unauthenticated remote commands on the target systems.

This vulnerability, CVE-2023-46747, received a critical severity rating with a CVSS score of 9.8. Technical details about the BIG-IP flaw are available in F5’s advisory.

F5 Deployed The Patch

Following the bug report, the vendors quickly developed a patch for the security vulnerability. F5 acknowledged the researchers Thomas Hendrickson and Michael Weber of Praetorian Security, Inc. to discover and report the flaw.

The researchers have also shared the details about their findings in a separate post. The timeline they shared in their post reflects how vigilantly F5 acted upon the vulnerability report, reproducing the exploit and confirming the vulnerability. The firm pledged to deliver a fix quickly, which they did, as they rolled out the patched releases in a couple of weeks.

Besides releasing the fixes, F5 also shared numerous mitigation strategies to protect vulnerable systems until they are updated.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients