An unauthenticated attacker with network access to BIG-IP's management plane can execute arbitrary system commands. Restrict access and patch immediately.
CVE-2023-46747 is a critical authentication bypass and remote code execution vulnerability in F5 BIG-IP's Traffic Management User Interface (TMUI). It allows an unauthenticated attacker with network access to the BIG-IP management port or self IP addresses to execute arbitrary system commands. There is no data plane exposure — this is a control plane issue only — but the impact on a compromised load balancer is severe.
What to Do Now
- Apply the F5 hotfix or upgrade to a fixed engineering build immediately.
- Ensure the management port and self IPs are not exposed to the internet or untrusted networks. F5 has long recommended this; the CVE is a hard reminder.
- Audit TMUI access logs for unexpected POST requests to the relevant endpoints.
- If exposure to attackers is suspected, treat the device as compromised: rebuild from known-good images and rotate all secrets that the device touched.
Edge appliances continue to be a primary initial-access vector for ransomware crews. Management interfaces should be reachable only from a hardened bastion or out-of-band network.
