■■■■■ Zero-Day: CVE-2023-46747 (Score 9.8); an unauthenticated remote code execution vulnerability via a side-channel from the management interface (Traffic Management User Interface (TMUI) and is closely related to CVE-2022-26377 which is a HTTP request smuggling vulnerability).
F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution by running arbitrary commands. This only affects the control plane and not the data plane.
Apparently, at the management console; sending requests to the “backend” service that assumes the “frontend” handled authentication is leading to this issue using HRS.
https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
https://my.f5.com/manage/s/article/K000137353
https://thehackernews.com/2023/10/f5-issues-warning-big-ip-vulnerability.html
https://t.me/cKure/13108