{"id":"CVE-2023-46747","details":"Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated","modified":"2026-03-14T12:15:23.044980Z","published":"2023-10-26T21:15:08.097Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46747"},{"type":"ADVISORY","url":"https://my.f5.com/manage/s/article/K000137353"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/175673/F5-BIG-IP-TMUI-AJP-Smuggling-Remote-Command-Execution.html"},{"type":"EVIDENCE","url":"https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain/"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-46747.json","unresolved_ranges":[{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]},{"events":[{"introduced":"13.1.0"},{"last_affected":"13.1.5"}]},{"events":[{"introduced":"14.1.0"},{"last_affected":"14.1.5"}]},{"events":[{"introduced":"15.1.0"},{"last_affected":"15.1.10"}]},{"events":[{"introduced":"16.1.0"},{"last_affected":"16.1.4"}]},{"events":[{"introduced":"17.1.0"},{"last_affected":"17.1.1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}