CVE-2023-46748 HIGH

CVE-2023-46748: BIG-IP Configuration utility authenticated SQL injection vulnerability

Vendor F5

Product BIG-IP

Weakness CWE-89 · SQLi

KEV Status Known Exploited

Published October 26, 2023

Last update October 21, 2025

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

An authenticated SQL injection vulnerability exists in the BIG-IP Configuration utility which may allow an authenticated attacker with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

October 26, 2023 CVE published

October 21, 2025 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-46748 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html CISA KEV Reference https://my.f5.com/manage/s/article/K000137365 CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2023-46748

Related vulnerabilities

Identifiers

CVE CVE-2023-46748

CWE CWE-89

CVSS 8.8 / HIGH

Affected versions

Vendor F5

Product BIG-IP

Affected ≥ 17.1.0 and < *

Vendor F5

Product BIG-IP

Affected ≥ 16.1.0 and < *

Vendor F5

Product BIG-IP

Affected ≥ 15.1.0 and < *

Vendor F5

Product BIG-IP

Affected ≥ 14.1.0 and < *

Vendor F5

Product BIG-IP

Affected ≥ 13.1.0 and < *

CVE-2023-46748: BIG-IP Configuration utility authenticated SQL injection vulnerability

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE