F5 Patches Critical BIG-IP, NGINX Vulnerabilities Related
F5’s February 2026 Quarterly Security Notification, released on February 4, details several medium and low-severity CVEs. The bulletin also outlines a security exposure impacting BIG-IP, NGINX,...
F5’s February 2026 Quarterly Security Notification, released on February 4, details several medium and low-severity CVEs. The bulletin also outlines a security exposure impacting BIG-IP, NGINX, and container services.
These issues primarily stem from denial-of-service (DoS) risks and configuration weaknesses, potentially disrupting high-traffic environments like web application firewalls (WAF) and Kubernetes ingress.
While no active exploits are reported, prompt patching is urged for internet-facing deployments to mitigate DoS chains or unauthorized access.
F5 provides CVSS v3.1 and v4.0 scores for first-party issues, emphasizing attack vector, privileges, and impact. A live briefing video is available via DevCentral. Details link to F5’s knowledge base.
These three flaws pose moderate DoS threats, with CVSS scores up to 8.2 (v4.0). Attackers could overwhelm services remotely.
| Article (CVE) | CVSS v3.1 / v4.0 | Affected Products | Affected Versions | Fixes Introduced In |
|---|---|---|---|---|
| K000158072: BIG-IP Advanced WAF/ASM (CVE-2026-22548) | 5.9 / 8.2 | BIG-IP Advanced WAF/ASM | 17.1.0 – 17.1.2 | 17.1.3 |
| K000159824: NGINX (CVE-2026-1642) | 5.9 / 8.2 | NGINX Plus (R32-R36 P1), Open Source (1.3.0-1.29.4), Ingress Controller (5.3.0-5.3.2; 4.0.0-4.0.1; 3.4.0-3.7.1), Gateway Fabric (2.0.0-2.4.0; 1.2.0-1.6.2), Instance Manager (2.15.1-2.21.0) | R36 P2, R35 P1, R32 P4; 1.29.5, 1.28.2; None; None; None | |
| K000157960: BIG-IP CIS (CVE-2026-22549) | 4.9 / 6.9 | BIG-IP Container Ingress Services (Kubernetes/OpenShift) | 2.0.0-2.20.1; 1.0.0-1.14.0 | 2.20.2; 2.20.1 (Helm 0.0.363) |
Impact Assessment: CVE-2026-1642 affects the broadest NGINX ecosystem, enabling network-adjacent DoS via crafted requests. WAF/ASM and CIS flaws target F5’s containerized services, risking outages in hybrid clouds.
Lower-risk issues focus on local or adjacent attacks.
| Article (CVE) | CVSS v3.1 / v4.0 | Affected Products | Affected Versions | Fixes Introduced In |
|---|---|---|---|---|
| K000158931: BIG-IP Edge Client (CVE-2026-20730) | 3.3 / 2.0 | BIG-IP APM (21.0.0; 17.5.0-17.5.1; etc.); APM Clients | 17.1.3.13; 7.2.6.2 | 17.1.3.13, 7.2.6.2 |
| K000156644: BIG-IP Config Utility (CVE-2026-20732) | 3.1 / 2.3 | BIG-IP (all modules) | 17.5.1.4; 17.1.3.1 | 17.5.1.4 17.1.3.1 |
Notes: Edge Client requires Component Update enabled post-upgrade. Config utility flaw allows local privilege escalation.
Security Exposures
| Article | Affected Products | Affected Versions | Fixes Introduced In |
|---|---|---|---|
| K000156643: BIG-IP SMTP Config | BIG-IP (all modules) | 21.0.0; 17.5.0-17.5.1; etc. | 21.0.0.1; 17.5.1.4; 17.1.3.1 |
This exposure risks SMTP misconfigurations leading to relay abuse.
Prioritize medium CVEs in NGINX-heavy setups. Scan for affected versions (pre-EoTS only), apply fixes via iHealth or Helm for CIS. Test in staging to avoid disruptions. Monitor the Medium, Low, and Exposures pages. F5’s CVSS v4.0 shift aids precise risk scoring, see K000140363.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.