By rssfeeds-admin 
These issues primarily stem from denial-of-service (DoS) risks and configuration weaknesses, potentially disrupting high-traffic environments like web application firewalls (WAF) and Kubernetes ingress.
While no active exploits are reported, prompt patching is urged for internet-facing deployments to mitigate DoS chains or unauthorized access.
F5 provides CVSS v3.1 and v4.0 scores for first-party issues, emphasizing attack vector, privileges, and impact. A live briefing video is available via DevCentral. Details link to F5’s knowledge base.
These three flaws pose moderate DoS threats, with CVSS scores up to 8.2 (v4.0). Attackers could overwhelm services remotely.
| Article (CVE) | CVSS v3.1 / v4.0 | Affected Products | Affected Versions | Fixes Introduced In |
|---|---|---|---|---|
| K000158072: BIG-IP Advanced WAF/ASM (CVE-2026-22548) | 5.9 / 8.2 | BIG-IP Advanced WAF/ASM | 17.1.0 – 17.1.2 | 17.1.3 |
| K000159824: NGINX (CVE-2026-1642) | 5.9 / 8.2 | NGINX Plus (R32-R36 P1), Open Source (1.3.0-1.29.4), Ingress Controller (5.3.0-5.3.2; 4.0.0-4.0.1; 3.4.0-3.7.1), Gateway Fabric (2.0.0-2.4.0; 1.2.0-1.6.2), Instance Manager (2.15.1-2.21.0) | R36 P2, R35 P1, R32 P4; 1.29.5, 1.28.2; None; None; None | |
| K000157960: BIG-IP CIS (CVE-2026-22549) | 4.9 / 6.9 | BIG-IP Container Ingress Services (Kubernetes/OpenShift) | 2.0.0-2.20.1; 1.0.0-1.14.0 | 2.20.2; 2.20.1 (Helm 0.0.363) |
Impact Assessment: CVE-2026-1642 affects the broadest NGINX ecosystem, enabling network-adjacent DoS via crafted requests. WAF/ASM and CIS flaws target F5’s containerized services, risking outages in hybrid clouds.
Lower-risk issues focus on local or adjacent attacks.
| Article (CVE) | CVSS v3.1 / v4.0 | Affected Products | Affected Versions | Fixes Introduced In |
|---|---|---|---|---|
| K000158931: BIG-IP Edge Client (CVE-2026-20730) | 3.3 / 2.0 | BIG-IP APM (21.0.0; 17.5.0-17.5.1; etc.); APM Clients | 17.1.3.13; 7.2.6.2 | 17.1.3.13, 7.2.6.2 |
| K000156644: BIG-IP Config Utility (CVE-2026-20732) | 3.1 / 2.3 | BIG-IP (all modules) | 17.5.1.4; 17.1.3.1 | 17.5.1.4 17.1.3.1 |
Notes: Edge Client requires Component Update enabled post-upgrade. Config utility flaw allows local privilege escalation.
Security Exposures
| Article | Affected Products | Affected Versions | Fixes Introduced In |
|---|---|---|---|
| K000156643: BIG-IP SMTP Config | BIG-IP (all modules) | 21.0.0; 17.5.0-17.5.1; etc. | 21.0.0.1; 17.5.1.4; 17.1.3.1 |
This exposure risks SMTP misconfigurations leading to relay abuse.
Prioritize medium CVEs in NGINX-heavy setups. Scan for affected versions (pre-EoTS only), apply fixes via iHealth or Helm for CIS. Test in staging to avoid disruptions. Monitor the Medium, Low, and Exposures pages. F5’s CVSS v4.0 shift aids precise risk scoring, see K000140363.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post F5 Patches Critical Vulnerabilities in BIG-IP, NGINX, and Related Products appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.