F5 Patches Multiple Vulnerabilities in BIG-IP and NGINX Platform

EXECUTIVE SUMMARY:

F5 has released security patches addressing multiple vulnerabilities impacting its BIG-IP application delivery products, NGINX ecosystem, and related container ingress components. The flaws, identified in the vendors Quarterly Security Notification, include denial-of-service and traffic manipulation risks in BIG-IP Advanced WAF ASM and NGINX platforms that could be triggered by crafted requests to disrupt service availability or allow unauthorized response injection. Additionally, a misconfiguration in BIG-IP Container Ingress Services could expose Kubernetes cluster secrets due to excessive permissions, and issues affect Edge Clients and configuration utilities. These vulnerabilities, although not widely observed in active exploitation, pose substantive threats to enterprise perimeter defenses and containerized environments if left unpatched, and organizations running F5 delivery controllers, web application firewalls, and NGINX proxies should apply updates promptly and validate configurations to mitigate service outages or data exposure.[emaillocker id="1283"]

• CVE-2026-22548: It is a race-condition vulnerability in F5 BIG‑IP Advanced WAF ASM that can cause service disruption by terminating the bd process. It can be triggered remotely without authentication, impacting system availability. The flaw does not affect confidentiality or integrity but may lead to denial-of-service. The vulnerability has a CVSS score of 8.2.
• CVE‑2026‑1642: It is a vulnerability in NGINX OSS and NGINX Plus that allows a man-in-the-middle attacker to inject plain text into upstream TLS responses. It affects response integrity without directly impacting confidentiality or availability. Exploitation requires network access and specific upstream configurations. The vulnerability has a CVSS score of 8.2.
• CVE-2026-22549: It is a vulnerability in F5 BIG‑IP Container Ingress Services that may grant excessive permissions to read Kubernetes cluster secrets. Exploitation requires high privileges and can be invoked over the network, potentially exposing sensitive data. The flaw does not directly impact system integrity or availability. The vulnerability has a CVSS score of 6.9.
• CVE‑2026‑20730: It is a vulnerability in BIG‑IP Edge Client on Windows that may allow local attackers to access sensitive information. It requires low privileges and no user interaction. The flaw impacts confidentiality with minimal effect on integrity or availability. The vulnerability has a CVSS score of 3.3.
• CVE‑2026‑20732:  It is a vulnerability in a BIG‑IP configuration utility that can allow spoofed error messages in the management interface. Exploitation requires network access and user interaction. The flaw has minimal impact on integrity and no impact on confidentiality or availability. The vulnerability has a CVSS score of 3.1.

RECOMMENDATION:

We strongly recommend you update F5 products to below version:

• CVE-2026-22548: https://my.f5.com/manage/s/article/K000158072
• CVE-2026-1642: https://my.f5.com/manage/s/article/K000159824
• CVE-2026-22549: https://my.f5.com/manage/s/article/K000157960
• CVE-2026-20730: https://my.f5.com/manage/s/article/K000158931
• CVE-2026-20732: https://my.f5.com/manage/s/article/K000156644

REFERENCES:

The following reports contain further technical details:

https://cybersecuritynews.com/f5-patches-critical-vulnerabilities/