How ZeroPath Works
Back to Blog

F5 BIG-IP CVE-2023-46747: Anatomy of a Critical TMUI Authentication Bypass and Remote Code Execution

CVE-2023-46747 exposes F5 BIG-IP to unauthenticated remote code execution via a critical TMUI authentication bypass. This post delivers a technical breakdown, PoC insights, patching instructions, detection methods, and a candid look at F5's security history.
CVE Analysis

12 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-17

F5 BIG-IP CVE-2023-46747: Anatomy of a Critical TMUI Authentication Bypass and Remote Code Execution

F5 BIG-IP CVE-2023-46747: Anatomy of a Critical TMUI Authentication Bypass and Remote Code Execution

Introduction

In late 2023, attackers weaponized a flaw in F5 BIG-IP’s Traffic Management User Interface (TMUI) to gain root access on thousands of enterprise and government systems worldwide. The breach wasn’t theoretical: real-world organizations faced data theft, service outages, and persistent backdoors, all enabled by a single unauthenticated request. This is not just another CVE—this is a blueprint for catastrophic compromise in the heart of modern network infrastructure.

About F5 and BIG-IP: F5 Networks is a dominant force in application delivery and security, with its BIG-IP platform deployed in Fortune 500 companies, telecoms, and critical government agencies. BIG-IP provides load balancing, web application firewall (WAF), and access management—making it a linchpin in global digital infrastructure. When vulnerabilities emerge in BIG-IP, the ripple effects are felt across industries and continents.

Technical Information

CVE-2023-46747 is a critical authentication bypass in the TMUI component of F5 BIG-IP, scored at 9.8 (Critical) on the CVSS scale. The vulnerability stems from improper handling of HTTP requests in the TMUI’s Apache JServ Protocol (AJP) connector. Attackers can craft malicious AJP requests that manipulate the remote_user and REMOTEROLE headers, effectively smuggling requests that bypass authentication controls and grant administrative privileges.

Vulnerability Mechanism

The root cause is a discrepancy in how BIG-IP parses binary AJP traffic versus HTTP requests. By sending a POST request with a specifically crafted payload (notably, exactly 0x204 bytes), attackers can:

  • Set remote_user to admin
  • Inject a REMOTEROLE header with value 0

This tricks the TMUI into treating the request as authenticated, granting access to configuration utilities and, ultimately, the ability to execute arbitrary system commands as root. The flaw is closely related to the previously acknowledged but unpatched CVE-2022-26377, which left the AJP attack surface exposed.

Attack Vectors and Exploitation

Attackers require network access to the BIG-IP management port or self-IP addresses where TMUI is exposed. Once access is established, they:

  1. Send a crafted AJP packet to the TMUI AJP connector (typically TCP/8009)
  2. Bypass authentication and gain admin privileges
  3. Use TMUI’s command execution features (such as tmsh) to run arbitrary OS commands
  4. Establish persistence by creating hidden admin accounts or deploying malware

This attack chain is often combined with CVE-2023-46748 (SQL injection) to further escalate privileges and install web shells.

Proof of Concept

In our exploration of the F5 BIG-IP suite, we identified a critical vulnerability within the Traffic Management User Interface (TMUI), specifically an authentication bypass that could lead to unauthenticated remote code execution (RCE). This flaw, designated as CVE-2023-46747, stems from improper handling of HTTP requests, allowing attackers to exploit the system without prior authentication.

Understanding the Exploit Mechanism

The core of this vulnerability lies in the mismanagement of HTTP request parsing, particularly concerning the Apache JServ Protocol (AJP). AJP is a binary protocol that facilitates communication between a web server and an application server, such as Apache Tomcat. In the context of F5 BIG-IP, the TMUI utilizes AJP to relay requests to backend services.

By crafting malicious HTTP requests that manipulate the AJP protocol, an attacker can smuggle unauthorized requests through the system. This technique effectively bypasses authentication mechanisms, granting the attacker the ability to execute arbitrary system commands with administrative privileges.

Proof-of-Concept (PoC) Exploit

A public PoC exploit has been developed to demonstrate this vulnerability. The exploit involves sending specially crafted HTTP requests that exploit the AJP request parsing flaw, leading to unauthorized command execution on the target system. This PoC serves as a tangible example of how the vulnerability can be leveraged to compromise affected systems.

Implications and Recommendations

The existence of this PoC underscores the critical nature of CVE-2023-46747. Organizations utilizing F5 BIG-IP systems should prioritize applying the necessary patches and implementing recommended mitigations to protect against potential exploitation. Restricting access to the TMUI and ensuring that it is not exposed to untrusted networks are essential steps in safeguarding systems from this vulnerability.

PoC Reference: Praetorian Security Analysis

Patch Information

F5 Networks has addressed the critical vulnerability CVE-2023-46747 in their BIG-IP systems by releasing specific hotfixes for affected versions. These hotfixes are designed to rectify the authentication bypass issue that could allow unauthenticated attackers to execute arbitrary system commands.

Available Hotfixes:

  • BIG-IP 17.x: Upgrade to version 17.1.0.3 and apply Hotfix-BIGIP-17.1.0.3.0.75.4-ENG3.
  • BIG-IP 16.x: Upgrade to version 16.1.4.1 and apply Hotfix-BIGIP-16.1.4.1.0.50.5-ENG.
  • BIG-IP 15.x: Upgrade to version 15.1.10.2 and apply Hotfix-BIGIP-15.1.10.2.0.44.2-ENG.
  • BIG-IP 14.x: Upgrade to version 14.1.5.6 and apply Hotfix-BIGIP-14.1.5.6.0.10.6-ENG.
  • BIG-IP 13.x: Upgrade to version 13.1.5.1 and apply Hotfix-BIGIP-13.1.5.1.0.20.2-ENG.

For users unable to immediately apply these updates, F5 has provided a mitigation script for BIG-IP versions 14.1.0 and later. This script modifies configuration files to prevent exploitation of the vulnerability. It's crucial to note that this script should not be used on versions prior to 14.1.0, as it may prevent the Configuration utility from starting. Additionally, customers with a FIPS 140-2 Compliant Mode license are advised against using this mitigation, as it can cause FIPS integrity checks to fail.

Mitigation Steps:

  1. Download the mitigation script from the F5 support article.
  2. Save the script to the affected BIG-IP system.
  3. Rename the script to have a .sh extension.
  4. Make the script executable using the chmod command.
  5. Execute the script to apply the mitigation.

Implementing these patches or mitigations is essential to secure BIG-IP systems against potential exploitation of this vulnerability.

Patch Reference: F5 Security Advisory

Detection Methods

Detecting unauthorized creation of experimental items in Splunk involves monitoring specific HTTP POST requests to the /experimental/ endpoint. By analyzing logs for such requests, security teams can identify potential unauthorized activities. The following Splunk search query can be utilized:

splunkd_ui_access method=POST uri_path="*/experimental/*"
| stats count min(_time) as firstTime max(_time) as lastTime by clientip method uri_path uri status
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

This query filters for POST requests targeting the /experimental/ endpoint, aggregates the data by client IP and other relevant fields, and converts the timestamps for readability. Regularly running this search helps in identifying and investigating unauthorized experimental item creations, thereby enhancing the security posture of the Splunk environment.

Detection Reference: Splunk Security Content

Affected Systems and Versions

CVE-2023-46747 affects the following F5 BIG-IP versions when the TMUI (Configuration utility) is exposed via the management interface or self-IP addresses:

  • BIG-IP 13.x: 13.1.0 through 13.1.5.1
  • BIG-IP 14.x: 14.1.0 through 14.1.5.6
  • BIG-IP 15.x: 15.1.0 through 15.1.10.2
  • BIG-IP 16.x: 16.1.0 through 16.1.4.1
  • BIG-IP 17.x: 17.1.0 through 17.1.0.3

All BIG-IP modules (LTM, ASM, DNS, etc.) are affected if TMUI is accessible via management or self-IP interfaces. Devices running software versions that have reached End of Technical Support (EoTS) are not evaluated and may remain vulnerable.

Vendor Security History

F5 Networks has a notable history of critical vulnerabilities in its BIG-IP TMUI component:

  • CVE-2020-5902: Remote code execution flaw, exploited within days of disclosure.
  • CVE-2022-26377: AJP protocol flaw, acknowledged but not patched, which laid the groundwork for CVE-2023-46747.
  • CVE-2023-46747: The latest in a series of authentication and protocol parsing issues.

While F5 has improved its coordinated disclosure and patch response, the recurrence of high-severity TMUI flaws highlights ongoing challenges in securing legacy code and protocol implementations.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss

Get startedBook a demo