Home > Security Bulletins > F5 BIG-IP Configuration Utility Unauthenticated RCE

F5 BIG-IP Configuration Utility Unauthenticated RCE

27th October 2023


F5 has announced a Critical severity vulnerability in the F5 BIG-IP Configuration Utility. CVE-2023-46747 (CVSS 3.1: 9.8) is an Unauthenticated Remote Code Execution vulnerability which may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands. There is no data plane exposure; this is a control plane issue only.

F5 has released patches as listed below for affected products and also details a workaround in its bulletin.

Affected Products

  • 17.1.0 (Fixed in + Hotfix-BIGIP-
  • 16.1.0 – 16.1.4 (Fixed in + Hotfix-BIGIP-
  • 15.1.0 – 15.1.10 (Fixed in + Hotfix-BIGIP-
  • 14.1.0 – 14.1.5 (Fixed in + Hotfix-BIGIP-
  • 13.1.0 – 13.1.5 (Fixed in + Hotfix-BIGIP-

You can also use iHealth to diagnose a vulnerability for BIG-IP and BIG-IQ systems.


Due to the Critical severity of this vulnerability and the key importance of BIG-IP, organisations are recommended to patch this vulnerability ASAP.