October 27, 2023 at 11:13PM

■■■■■ Zero-Day: CVE-2023-46747 (Score 9.8); an unauthenticated remote code execution vulnerability via a side-channel from the management interface (Traffic Management User Interface (TMUI) and is closely related to CVE-2022-26377 which is a HTTP request smuggling vulnerability).

F5 has alerted customers of a critical security vulnerability impacting BIG-IP that could result in unauthenticated remote code execution by running arbitrary commands. This only affects the control plane and not the data plane.

Apparently, at the management console; sending requests to the “backend” service that assumes the “frontend” handled authentication is leading to this issue using HRS.