How to Fix CVE-2023-46747: F5 BIG-IP Configuration Utility Authentication Bypass

*By Sai Kiran Pandrala*

⚠️ Lock down TMUI immediately. The configuration utility (TMUI) should never have been internet-reachable. If yours was, treat as compromised.

What is CVE-2023-46747?

The F5 BIG-IP Configuration Utility (TMUI, Traffic Management User Interface) has an authentication bypass flaw. An unauthenticated remote attacker can send specifically crafted requests that bypass the authentication check and reach administrative functionality, including command execution as root on the BIG-IP system.

BIG-IP sits at the perimeter as a load balancer, WAF, and SSL terminator. Root on a BIG-IP gives the attacker every TLS private key the device terminates, every backend health-check credential, every captured authentication cookie passing through the LTM virtual servers, and the ability to redirect traffic at will.

The CVE was disclosed in October 2023 with a public PoC available within days. CISA added it to KEV soon after.

Am I affected?

You are affected if you run F5 BIG-IP TMOS at any of:

• 17.1.0 (with no later hotfix)
• 16.1.0 through 16.1.4
• 15.1.0 through 15.1.10
• 14.1.0 through 14.1.5
• 13.1.0 through 13.1.5

Check your TMOS version:

tmsh show /sys version

How to fix CVE-2023-46747

1. Open F5 K-article K000137353 linked below for the exact engineering hotfix per train.
2. Download the patched TMOS build from F5 Downloads (under MyF5 with your support contract).
3. For HA pairs: install the hotfix on the standby first via System → Software Management → Image List → Install, set the boot location, reboot, fail over, repeat on the formerly-active.
4. Verify the build with tmsh show /sys version.

F5 also provided a shell script in the K-article that disables vulnerable TMUI handlers without a full hotfix install, useful as bridge mitigation while you schedule the hotfix maintenance window. The script is documented in K000137353.

Upgrade big-ip / f5 to the patched release

# Confirm the running version
tmsh show sys version

# Download the patched image from the F5 advisory: https://my.f5.com/manage/s/article/K000137353
tmsh save sys ucs /var/local/ucs/pre-patch.ucs
tmsh install sys software image BIGIP-<patched-version>.iso volume HD1.2
tmsh modify sys software volume HD1.2 active
reboot

# Post-reboot
tmsh show sys version

Verify the fix landed

# 1. Confirm the running version matches the fixed-in version from the advisory:
#    https://my.f5.com/manage/s/article/K000137353
#    Use the platform-specific version probe above.

# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
#    The scanner should no longer flag CVE-2023-46747 on the patched target.

# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"

If you can't patch immediately

Apply the F5-provided mitigation script from the K-article. It blocks the specific vulnerable handler paths in TMUI without requiring a hotfix install or reboot.

Additionally:

• Restrict TMUI access to a small management network at the perimeter firewall.
• Disable TMUI on the data-path self-IPs entirely if you do not need it there (set self-IP port lockdown to "Allow None" or a specific port list excluding 443/8443).

These are bridge controls. The hotfix is the only full remediation.

How to verify the fix worked

1. tmsh show /sys version shows the patched build.
2. Run a vulnerability scan against the TMUI URL, CVE-2023-46747 detection should clear.
3. IoC hunt: review TMUI access logs for unauthenticated requests to TMUI endpoints between October 2023 and your patch date. Investigate any unfamiliar admin accounts or BIG-IP configuration changes from that window.

Frequently asked questions

Is CVE-2023-46747 actively exploited?

Yes. CVE-2023-46747 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2023-46747?

Critical. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://my.f5.com/manage/s/article/K000137353

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

• Official F5 K-article K000137353: https://my.f5.com/manage/s/article/K000137353
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46747
• CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from F5 K000137353, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against F5's K-article before applying changes in production.*

Related fixes

Other vulnerabilities in the same area that are worth patching alongside this one:

• How to Fix CVE-2023-0018: Cross-Site Scripting in BusinessObjects Business Intelligence Platform (Central management console) — Cross-Site Scripting in BusinessObjects Business Intelligence Platform (Central management console)
• How to Fix CVE-2023-35893: CWE-78 in Security Guardium — CWE-78 in Security Guardium
• How to Fix CVE-2023-25616: CWE-74 in Business Objects Business Intelligence Platform (CMC) , CWE-74 in Business Objects Business Intelligence Platform (CMC)
• How to Fix CVE-2023-49897: Command Injection in AE1021, AE1021PE , Command Injection in AE1021, AE1021PE
• How to Fix CVE-2023-39780: Command Injection in RT-AX55 , Command Injection in RT-AX55