Back to KEVs

CVE-2023-46748

BIG-IP Configuration utility authenticated SQL injection vulnerability

Basic Information

CVE State
PUBLISHED
Reserved Date
October 25, 2023
Published Date
October 26, 2023
Last Updated
February 13, 2025
Vendor
F5
Product
BIG-IP
Description
An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVSS Scores

CVSS v3.1

8.8 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2023-10-31 00:00:00 UTC) Source

References

https://my.f5.com/manage/s/article/K000137365 https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain/

Known Exploited Vulnerability Information

Source Added Date
CISA 2023-10-31 00:00:00 UTC