CVE-2023-46747: 14,000 F5 BIG-IP APM Instances Exposed to RCE

A recent analysis by the Shadowserver Foundation has revealed that over 14,000 F5 BIG-IP Access Policy Manager (APM) instances are currently exposed to the internet, many of which remain vulnerable to a critical-severity RCE vulnerability. According to Bleeping Computer, the vulnerability, tracked as CVE-2023-46747, carries a CVSS score of 9.8 and allows unauthenticated attackers to bypass security controls and execute arbitrary commands on the host system.

Technical Analysis of CVE-2023-46747

CVE-2023-46747 stems from a request smuggling flaw in the Traffic Management Microkernel (TMM) to Apache JServ Protocol (AJP) communication path. By crafting a specific HTTP request, an external attacker can bypass authentication on the F5 configuration utility (TMUI). This flaw is particularly dangerous because it grants the attacker the ability to execute system commands with administrative privileges.

In addition to the request smuggling flaw, F5 disclosed CVE-2023-46748, an SQL injection vulnerability that can also lead to command execution, though it typically requires authentication. However, when combined with the authentication bypass capabilities of CVE-2023-46747, the impact is significantly amplified. The SOC should prioritize these assets as they often sit at the edge of the corporate network, acting as a gateway for remote workers and internal services.

How to Detect CVE-2023-46747 Exploit

For organizations concerned about potential compromise, understanding how to detect CVE-2023-46747 exploit attempts is vital for incident response. Security teams should monitor the web server logs (specifically /var/log/httpd/httpd_errors) for unusual requests containing AJP-related headers or unexpected traffic directed toward the /tmui/ path.

Evidence of exploitation may also include the presence of newly created administrative accounts or modifications to the system’s /etc/passwd file. Analysts should use their SIEM to correlate these logs with IoC feeds, specifically looking for known malicious IP addresses scanning for F5 management interfaces. If an attacker gains a foothold, they often use the device as a pivot point for Lateral Movement, making EDR telemetry on adjacent servers equally important.

Impact on the Attack Surface

The exposure of 14,000 instances highlights a persistent issue in vulnerability management: the gap between patch availability and deployment. F5 BIG-IP devices are core infrastructure components used for load balancing, traffic management, and SSL termination. Compromising an APM instance allows an attacker to intercept traffic, steal credentials, and map internal network architecture, fitting several stages of the MITRE ATT&CK framework, including Initial Access and Persistence.

Shadowserver’s data suggests that the highest concentration of exposed instances is located in the United States, followed by Japan and Singapore. The sheer volume of exposed interfaces makes these devices high-value targets for both opportunistic cybercriminals and sophisticated actors looking for entry points into sensitive environments.

F5 BIG-IP 17.1.0 RCE Mitigation Steps

To address these risks, administrators should follow these F5 BIG-IP 17.1.0 RCE mitigation steps immediately. The primary recommendation is to update to a patched version of the software. F5 has released fixes for all major branches, including:

• 17.1.0.3 and later
• 16.1.4.1 and later
• 15.1.10.2 and later
• 14.1.5.6 and later
• 13.1.5.1 and later

If immediate patching is not possible, the most effective mitigation is to restrict access to the management interface. Ensure that the TMUI is not reachable from the public internet and is only accessible via a secure, internal management network or a trusted VPN. F5 also provides a script for certain versions to mitigate the request smuggling vulnerability by modifying the AJP configuration, though this should be considered a temporary measure until a full update is applied.