CVE-2023-46748: 
F5 BIG-IP Advanced Firewall Manager vulnerability analysis and mitigation

An authenticated SQL injection vulnerability (CVE-2023-46748) exists in the BIG-IP Configuration utility. The vulnerability was disclosed on October 26, 2023, and affects multiple versions of F5's BIG-IP products including versions 13.1.0-13.1.5, 14.1.0-14.1.5, 15.1.0-15.1.10, 16.1.0-16.1.4, and 17.1.0-17.1.1 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-89 (SQL Injection) and requires low privileges and no user interaction to exploit. The attack vector is network-based, allowing authenticated attackers with network access to the Configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands (NVD).

If successfully exploited, this vulnerability allows an authenticated attacker to execute arbitrary system commands through SQL injection in the BIG-IP Configuration utility. The vulnerability affects confidentiality, integrity, and availability of the system, all rated as High impact according to the CVSS scoring (NVD).

Organizations are required to patch affected systems according to CISA's Known Exploited Vulnerabilities (KEV) catalog directive by November 21, 2023. F5 has released patches for the affected versions, and organizations are strongly advised to apply these security updates immediately (CISA Alert).