F5: F5 BIG-IP: Authentication Bypass via TMUI Request Smuggling
CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Per NVD: “Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.” Per Praetorian’s blog: “we were able to identify an authentication bypass issue that led to complete compromise of an F5 system with the Traffic Management User Interface (TMUI) exposed. The bypass was assigned CVE-2023-46747, and is closely related to CVE-2022-26377. Like our recently reported Qlik RCE, the F5 vulnerability was also a request smuggling issue.”
Affected Packages / Versions
- Package:
F5 BIG-IP(—) - Latest published version at triage time:
Per NVD: F5 BIG-IP versions earlier than the October 2023 hotfix - Affected range:
Per NVD: F5 BIG-IP versions earlier than the October 2023 hotfix; End-of-Technical-Support versions are not evaluated by F5. - Patched version:
F5 October 2023 cumulative hotfix (per F5 K000137353; full version table on F5's article — JS-rendered at fetch time)
Impact
Per NVD’s text the primitive is “execute arbitrary system commands” once authentication is bypassed. Praetorian’s blog frames the outcome as “complete compromise of an F5 system.” Listed in CISA’s Known Exploited Vulnerabilities Catalog.
Severity Rationale
NVD CVSS 9.8 (Critical): network AV, low complexity, no privileges or UI, full CIA.
Fix
Per F5 K000137353 (October 26, 2023) and NVD: apply the F5 October 2023 hotfix. Praetorian’s blog adds: “Update October 30th, 2023: The Project Discovery team released the proof of concept on Github,” increasing exploitation pressure for unpatched estates.
Disclosure timeline
- TBDReported to vendor
- Oct 26, 2023Patch released (F5 K000137353)
- Oct 26, 2023Public disclosure
Fix Commit(s)
References
Discovered by Praetorian Labs · Published April 29, 2026