CVE-2023-46748

HIGH KEV

BIG-IP - Authenticated SQL Injection

Title source: llm

Description

An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

References (3)

[Vendor Advisory] https://my.f5.com/manage/s/article/K000137365

[Exploit, Third Party Advisory] https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain/

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46748

Scores

CVSS v3 8.8

EPSS 0.0435

EPSS Percentile 89.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2023-10-31

VulnCheck KEV 2023-10-30

InTheWild.io 2023-10-31

ENISA EUVD EUVD-2023-50917

CWE

CWE-89

Status published

Products (20)

f5/big-ip_access_policy_manager 13.1.0 - 13.1.5

f5/big-ip_advanced_firewall_manager 13.1.0 - 13.1.5

f5/big-ip_advanced_web_application_firewall 13.1.0 - 13.1.5

f5/big-ip_analytics 13.1.0 - 13.1.5

f5/big-ip_application_acceleration_manager 13.1.0 - 13.1.5

f5/big-ip_application_security_manager 13.1.0 - 13.1.5

f5/big-ip_application_visibility_and_reporting 13.1.0 - 13.1.5

f5/big-ip_automation_toolchain 13.1.0 - 13.1.5

f5/big-ip_carrier-grade_nat 13.1.0 - 13.1.5

f5/big-ip_container_ingress_services 13.1.0 - 13.1.5

... and 10 more

Published Oct 26, 2023

KEV Added Oct 31, 2023

Tracked Since Feb 18, 2026