F5 BIG-IP Configuration Utility SQL Injection Vulnerability (CVE-2023-46748)

F5 BIG-IP Configuration utility contains an SQL injection vulnerability that may allow an authenticated attacker with network access through the BIG-IP management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46747.

Published Oct 26, 2023 · Updated May 17, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A remote attacker, with a low-privilege account, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2023-11-21 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a SQL Injection (CWE-89) vulnerability in F5 BIG-IP Configuration Utility. An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated Exploitation requires remote network access, low attack complexity, a low-privilege authenticated account, and no user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

●IT Security

●Running big-ip access policy manager: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip advanced firewall manager: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip carrier-grade nat: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip ddos hybrid defender: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip ssl orchestrator: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip local traffic manager: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip policy enforcement manager: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip automation toolchain: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip container ingress services: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip advanced web application firewall: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip domain name system: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip application security manager: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip analytics: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip application acceleration manager: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip application visibility and reporting: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip fraud protection services: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip global traffic manager: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip link controller: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip webaccelerator: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1; big-ip websafe: 13.1.0 ≤ v ≤ 13.1.5, 14.1.0 ≤ v ≤ 14.1.5, 15.1.0 ≤ v ≤ 15.1.10, 16.1.0 ≤ v ≤ 16.1.4, 17.1.0 ≤ v ≤ 17.1.1

Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: https://www.secpod.com/blog/f5-issues-warning-big-ip-vulnerability-used-in-active-exploit-chain/

How to patch

Manual remediation steps

Identify affected hosts: query inventory for network-security installs in scope.

Apply the vendor security update referenced in CVE-2023-46748's advisory. No specific KB/version is encoded yet — consult the linked MSRC/vendor URL.

Verify the fix per the vendor's published verification steps.

Document the remediation in your change ticket and re-scan with your vulnerability scanner to confirm closure.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2023-46748 ↗ MSRC Advisory ↗ NVD ↗ Vendor Advisory