alert http any any -> $HOME_NET any (msg:"ET INFO F5 BIG-IP - Password Reset Attempt - Observed Post CVE-2023-46747 Activity"; flow:established,to_server; flowbits:set,ET.CVE-2023-46747.pw.request; http.method; content:"PATCH"; http.uri; content:"/mgmt/tm/auth/user/"; startswith; fast_pattern; http.request_body; content:"|22|password|22|"; reference:url,packetstormsecurity.com/files/175673/F5-BIG-IP-TMUI-AJP-Smuggling-Remote-Command-Execution.html; classtype:attempted-admin; sid:2049257; rev:1; metadata:affected_product F5, attack_target Networking_Equipment, created_at 2023_11_20, deployment Perimeter, deployment SSLDecrypt, former_category INFO, performance_impact Low, confidence High, signature_severity Informational, updated_at 2023_11_20; target:dest_ip;)
| Metadata | |
|---|
| affected_product | F5 |
| attack_target | Networking_Equipment |
| created_at | 2023_11_20 |
| deployment | Perimeter |
| deployment | SSLDecrypt |
| former_category | INFO |
| performance_impact | Low |
| confidence | High |
| signature_severity | Informational |
| updated_at | 2023_11_20 |