Security Advisory 2023-083

Release Date:

Critical Vulnerability in F5 BIG-IP Configuration utility



  • 27/10/2023 --- v1.0 -- Initial publication


On 26 October 2023, F5 released a security advisory for a critical vulnerability impacting BIG-IP that allows an user to perform remote code execution. The vulnerability is tracked as CVE-2023-46747 with a CVSS score of 9.8 out of 10. [1]

Technical Details

The CVE-2023-46747 vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. The vulnerability resides in the Configuration utility component of the affected versions.

Affected products

All models of BIG-IP are affected.

Versions known to be vulnerableFixes introduced in + Hotfix-BIGIP-
16.1.0 - 16.1.416.1.4.1 + Hotfix-BIGIP-
15.1.0 - 15.1.1015.1.10.2 + Hotfix-BIGIP-
14.1.0 - 14.1.514.1.5.6 + Hotfix-BIGIP-
13.1.0 - 13.1.513.1.5.1 + Hotfix-BIGIP-

Software versions that have reached the End of Technical Support (EoTS) are not listed.


F5 has provided a shell script specifically tailored for mitigating the identified issue on affected products version 14.1.0 and later. The script is designed to make necessary adjustments to configuration files. [1]

It is important not to run the script on software versions below 14.1.0.


Since the vulnerable component is the Configuration utility of the product, F5 has provided two temporary workarounds [1] which are:

  • to block Configuration utility access through self IP addresses;
  • to block Configuration utility access through the management interface.


CERT-EU strongly recommends taking one of the following actions as a priority:

  1. Update to the latest version of the affected software.
  2. Apply the provided mitigation and workarounds when updating is not possible immediately.



We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.