ExtraHop named a Leader in the 2025 Forrester Wave™: Network Analysis And Visibility Solutions

ExtraHop Logo
Search
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

F5 BIG-IP Exploit Attempt - CVE-2023-46747

Risk Factors

F5 BIG-IP devices are typically internet-facing and this vulnerability has been exploited by threat actors. Public exploit code is available, enabling unauthenticated attackers to gain full administrator privileges, control of a BIG-IP device, and launch additional attacks on the network.

Category

Exploitation
Detection diagram
Next in Exploitation: F5 BIG-IP and BIG-IQ Exploit - CVE-2021-22986

Attack Background

BIG-IP is a collection of hardware and software solutions that direct traffic across a network. BIG-IP appliances provide a Configuration Utility web interface known as the Traffic Management User Interface (TMUI). TMUI forwards HTTP requests over the Apache JServe Protocol (AJP). A request smuggling vulnerability in the TMUI will mishandle HTTP requests sent between an Apache HTTP front-end server and an AJP back-end server, leading to authentication bypass. To exploit this vulnerability, the attacker creates an HTTP POST request with a manipulated Transfer-Encoding header, a malicious AJP message in the POST body, and a URL with /tmui/login.jsp. The TMUI forwards the POST request and the smuggled AJP message to the back-end server for processing, which interprets the AJP message in the POST body as another forwarded POST request. After a successful exploit, the attacker can chain together multiple requests to eventually send an HTTP POST request to the /mgmt/tm/util/bash endpoint, which leads to remote code execution.

Mitigation Options

Apply the relevant patch
Restrict access to the Configuration Utility to only trusted users and devices over a secure network

MITRE ATT&CK ID

Associated content

Announcing The Forrester Wave™: Network Analysis And Visibility Solutions, Q4 2025

Network analysis and visibility solutions remain underrepresented in enterprises. Find out why in this preview of a new Wave report.

Report
Learn moreArrow pointing right

ExtraHop® Named a Leader in First-Ever Gartner® Magic Quadrant™ for Network Detection and Response — ExtraHop

ExtraHop® Named a Leader in First-Ever Gartner® Magic Quadrant™ for Network Detection and Response

News
Learn moreArrow pointing right

Detections

Visit this resource for more information.

Docs
Learn moreArrow pointing right

The 2025 ExtraHop Global Threat Landscape Report: The Alarming Reality of Threat Actor Dwell Time and Deeper Network Access — ExtraHop

This analysis exposes the critical link between an organization's lack of internal visibility and the escalating cost of compromise, demanding an urgent re-evaluation of how core business assets are protected.

Blog
Learn moreArrow pointing right

ExtraHop RevealX MITRE ATT&CK Coverage 2024 — ExtraHop

Learn why you need to be wary of the claims certain network detection and response providers make about their coverage against the MITRE ATT&CK framework.

Blog
Learn moreArrow pointing right

MITRE ATT&CK - Network Detection & Response with RevealX — ExtraHop

Learn how NDR from RevealX helps security teams detect and investigate more adversary TTPs in the MITRE ATT&CK framework than rule-based tools.

External
Learn moreArrow pointing right
Periodic Table of Use Cases

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right