F5 Networks has recently addressed several critical vulnerabilities across its product suite, including BIG-IP, NGINX, and related services. These security flaws, primarily involving denial-of-service (DoS) risks and configuration weaknesses, could disrupt high-traffic environments such as web application firewalls (WAF) and Kubernetes ingress controllers. While no active exploits have been reported, F5 strongly recommends prompt patching, especially for internet-facing deployments, to mitigate potential threats.
Denial-of-Service Vulnerabilities
Three notable vulnerabilities pose moderate DoS threats, with CVSS scores reaching up to 8.2 (v4.0). These flaws could allow remote attackers to overwhelm services, leading to significant disruptions.
1. BIG-IP Advanced WAF/ASM (CVE-2026-22548): This vulnerability affects versions 17.1.0 through 17.1.2 of BIG-IP Advanced WAF/ASM. F5 has introduced a fix in version 17.1.3.
2. NGINX (CVE-2026-1642): Impacting a broad range of NGINX products, including NGINX Plus (R32-R36 P1), Open Source versions (1.3.0-1.29.4), Ingress Controller (5.3.0-5.3.2; 4.0.0-4.0.1; 3.4.0-3.7.1), Gateway Fabric (2.0.0-2.4.0; 1.2.0-1.6.2), and Instance Manager (2.15.1-2.21.0). Fixes have been introduced in R36 P2, R35 P1, R32 P4; 1.29.5, 1.28.2; and other respective versions.
3. BIG-IP Container Ingress Services (CVE-2026-22549): This flaw affects versions 2.0.0 through 2.20.1 and 1.0.0 through 1.14.0 of BIG-IP Container Ingress Services for Kubernetes/OpenShift. The issue has been addressed in versions 2.20.2 and 2.20.1 (Helm 0.0.363).
Impact Assessment
CVE-2026-1642 is particularly concerning due to its extensive impact on the NGINX ecosystem. It enables network-adjacent DoS attacks through crafted requests, potentially leading to service outages. The vulnerabilities in WAF/ASM and CIS specifically target F5’s containerized services, posing risks of outages in hybrid cloud environments.
Lower-Risk Issues
F5 has also identified lower-risk issues that focus on local or adjacent attacks:
1. BIG-IP Edge Client (CVE-2026-20730): This vulnerability affects BIG-IP APM versions 21.0.0; 17.5.0-17.5.1; and others, as well as APM Clients 17.1.3.13; 7.2.6.2. Fixes have been introduced in versions 17.1.3.1 and 7.2.6.2. Notably, the Edge Client requires the Component Update feature to be enabled post-upgrade.
2. BIG-IP Config Utility (CVE-2026-20732): Affecting all modules of BIG-IP versions 17.5.1.4 and 17.1.3.1, this flaw allows local privilege escalation. Fixes have been implemented in versions 17.5.1.4 and 17.1.3.1.
Security Exposures
An additional security exposure has been identified:
– BIG-IP SMTP Configuration: This exposure affects all modules of BIG-IP versions 21.0.0; 17.5.0-17.5.1; and others. It risks SMTP misconfigurations that could lead to relay abuse. Fixes have been introduced in versions 21.0.0.1; 17.5.1.4; and 17.1.3.1.
Recommendations
Organizations utilizing F5 products should prioritize addressing the medium-severity CVEs, especially in NGINX-heavy setups. It is crucial to scan for affected versions (pre-End of Technical Support only) and apply the necessary fixes via iHealth or Helm for CIS. Testing in staging environments is recommended to avoid disruptions. Additionally, monitoring the Medium, Low, and Exposures pages is advised. F5’s adoption of CVSS v4.0 provides more precise risk scoring, aiding organizations in their vulnerability management efforts.
Conclusion
F5 Networks’ proactive approach in identifying and patching these vulnerabilities underscores the importance of regular security assessments and timely updates. Organizations are urged to implement these patches promptly to safeguard their systems against potential exploits and ensure the integrity and availability of their services.
