F5 Networks, a leading provider of network and application delivery services, has issued a security advisory warning users of a critical vulnerability in its BIG-IP configuration utility that could allow attackers to execute arbitrary system commands remotely without authentication.

The vulnerability, tracked as CVE-2023-46747, affects BIG-IP versions 13.1.0 to 17.1.0 and has a CVSS score of 9.8 out of 10, indicating a severe impact. The flaw resides in the Traffic Management User Interface (TMUI) component of the BIG-IP configuration utility, which is used to manage and monitor the device.

According to the advisory, an unauthenticated attacker can exploit the vulnerability by sending a specially crafted HTTP request to the TMUI endpoint on the management interface of the affected device. This could result in remote code execution with root privileges on the target system.

The vulnerability was discovered and reported by Michael Weber and Thomas Hendrickson of Praetorian, a cybersecurity consulting firm, on October 4, 2023. F5 acknowledged their contribution and published the advisory on October 26, 2023.

F5 has released hotfixes and a shell script for users to apply as soon as possible to mitigate the risk of exploitation. The company also recommends restricting access to the management interface of the BIG-IP device to trusted networks and using firewall rules to block unauthorized requests.

The vulnerability is closely related to another authentication bypass issue in the BIG-IP iControl REST API, CVE-2022-26377, which F5 disclosed in September 2023. Both vulnerabilities stem from improper input validation and sanitization in the TMUI component.

This is not the first time serious security flaws have plagued F5's BIG-IP devices. In July 2020, F5 patched CVE-2020-5902, a similar remote code execution vulnerability in the TMUI component that threat actors actively exploited. In January 2022, F5 fixed CVE-2022-1388, another remote code execution flaw in the TMUI component that was also exploited in the wild.

F5's BIG-IP devices are widely used by enterprises, governments, and service providers to optimize network performance and security. The devices handle sensitive data and traffic for applications such as web servers, databases, firewalls, load balancers, and VPNs. Therefore, any vulnerability in these devices could pose a severe threat to the confidentiality, integrity, and availability of the network and its services.