Rule History

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT F5 BIG-IP - Successful Password Reset Attempt - Observed Post CVE-2023-46747 Activity"; flow:established,to_client; flowbits:isset,ET.CVE-2023-46747.pw.request; http.stat_code; content:"200"; http.response_body; content:"/mgmt/tm/auth/user/"; content:"|22|description|22|"; content:"|22|encryptedPassword|22|"; content:"|22|role|22|"; reference:url,packetstormsecurity.com/files/175673/F5-BIG-IP-TMUI-AJP-Smuggling-Remote-Command-Execution.html; classtype:successful-admin; sid:2049258; rev:3; metadata:attack_target Networking_Equipment, created_at 2023_11_20, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Critical, tag CISA_KEV, updated_at 2026_01_20; target:src_ip;)