F5 BIG-IP < 17.1.0.3 — RCE

F5 BIG-IP's Traffic Management User Interface (TMUI) has an authentication bypass enabling unauthenticated RCE. Apply the October 2023 hotfix immediately — CISA flagged active exploitation.

Published Oct 26, 2023 · Updated May 10, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An unauthenticated attacker with access to the BIG-IP management interface can execute arbitrary OS commands as root. This allows complete control of the load balancer — modifying traffic policies, stealing SSL keys/certificates, capturing all traffic the BIG-IP processes, and using the device as a pivot into the internal network.

How the attack worksNo clicks needed

F5 BIG-IP's TMUI (Configuration Utility) on port 443 has an authentication bypass vulnerability. By sending specially crafted HTTP requests, an unauthenticated attacker can bypass authentication and reach an AJP (Apache JServ Protocol) backend that can execute arbitrary commands on the BIG-IP system with root privileges.

📧

Phishing link

→

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

●Network Security Team

●Load Balancer Administrators

●IT Security

●Running F5 BIG-IP 17.1.0 < 17.1.0.3, 16.1.0 < 16.1.4.2, 15.1.0 < 15.1.10.4, 14.1.0 < 14.1.5.7, 13.1.0 < 13.1.5.1

Fixed inF5 BIG-IP 17.1.0.3 / 16.1.4.2 / 15.1.10.4 / 14.1.5.7 / 13.1.5.1

Real-world incidentsWhat we've seen

Praetorian security researchers discovered CVE-2023-46747 and disclosed it in October 2023 alongside F5's patch. CISA added it to the Known Exploited Vulnerabilities catalog and noted active exploitation. F5 BIG-IP devices are extremely common in enterprise environments as load balancers and SSL terminators, making this a high-value target. Mass scanning for vulnerable management interfaces began immediately after disclosure.

How to patch

Manual remediation steps

⏱ 1 hour including system restart

Check BIG-IP Version

# From the BIG-IP TMSH CLI:
tmsh show sys version

Restrict TMUI Access Immediately

# Block access to TMUI from untrusted networks at the BIG-IP level:
# Management > Network > Self IPs
# Remove port 443 from management network self-IP allows
# Or restrict via external firewall

# Verify TMUI is only accessible from trusted management IPs

Check for Compromise Indicators

# Check for recently created admin users
tmsh list auth user

# Check for unexpected modifications to configuration
tmsh show sys log | grep "Configuration imported\|User.*created"

# Look for web shells in TMUI directories
find /usr/share/java/websso -name "*.jsp" -newer /var/db/mcpd/bigip_base.conf

Apply the Hotfix

Download the appropriate hotfix from https://my.f5.com/manage/s/downloads

Upload via TMUI: System > Software Management > Hotfix List > Import

Or via TMSH:

tmsh install sys software hotfix <filename> create-volume volume HD1.2
tmsh show sys software

Reboot to the patched volume

Verify

tmsh show sys version
# Must show hotfix applied

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2023-46747 ↗ NVD