Threats / F5 / CVE-2023-46748
CVE-2023-46748
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
F5 BIG-IP Configuration Utility vulnerability
F5 BIG-IP Configuration Utility contains an SQL injection vulnerability allowing authenticated attackers with network access to the management interface to execute system commands.
Verdict
Today item — known-exploited.
An authenticated attacker with access to BIG-IP management ports can exploit SQL injection to execute arbitrary system commands, potentially compromising infrastructure configuration and control. Active exploitation observed in the wild.
01
Is it exploitable?
— the evidence, ranked above the scoreReported exploitation
4 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2023-10-31).
Probability (EPSS)
EPSS 0.04468 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: F5, BIG-IP Configuration Utility. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-89 SQL Injection — weakness family: Injection.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I gain network access to the BIG-IP management port or self IP addresses.
Business
Attacker establishes initial network foothold against critical load balancing infrastructure.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I authenticate to the BIG-IP Configuration Utility using valid credentials.
Business
Compromised or default credentials enable progression to authenticated attack surface.
3
Lateral reach — past segmentation narrative 3
Attacker
I craft SQL injection payloads through the Configuration Utility interface to manipulate database queries.
Business
SQL injection bypasses application logic and data access controls.
4
Data at risk — exfiltration narrative 4
Attacker
I execute arbitrary system commands on the BIG-IP device through the injected SQL.
Business
Attacker gains code execution on critical network infrastructure with system-level privileges.
5
Lights out — disruption & extortion narrative 5
Attacker
I maintain persistence and pivot to dependent systems or exfiltrate configuration data.
Business
Complete compromise of load balancing services, traffic interception, and potential lateral movement across protected networks.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05