CVE-2023-45226 HIGH

CVE-2023-45226: BIG-IP Next SPK SSH vulnerability

Vendor F5
Product BIG-IP Next SPK
Weakness CWE-798 · Hardcoded credentials
Published October 10, 2023
Last update September 18, 2024

CVSS base score

7.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

The BIG-IP SPK TMM (Traffic Management Module) f5-debug-sidecar and f5-debug-sshd containers contains hardcoded credentials that may allow an attacker with the ability to intercept traffic to impersonate the SPK Secure Shell (SSH) server on those containers. This is only exposed when ssh debug is enabled.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Key dates

02Disclosure timeline

October 10, 2023 CVE published
September 18, 2024 Record updated