F5 released its Quarterly Security Notification, addressing multiple security flaws across its product ecosystem.
While F5 classifies the primary vulnerabilities as “Medium” severity under their internal policy, the updated CVSS v4.0 scoring system assigns them a score of 8.2, indicating a high risk to enterprise environments.
The advisory highlights three specific CVEs impacting BIG-IP Advanced WAF, NGINX Plus, and BIG-IP Container Ingress Services.
Security teams are advised to prioritize patching these components immediately, as they serve as critical entry points for application traffic.
Technical Analysis
BIG-IP Advanced WAF and ASM (CVE-2026-22548)
The most significant issue for BIG-IP appliances affects the Advanced Web Application Firewall (WAF) and Application Security Manager (ASM).
With a CVSS v4.0 score of 8.2, this vulnerability could allow attackers to bypass security controls or disrupt services.
This flaw affects explicitly versions 17.1.0 through 17.1.2. The fix has been introduced in version 17.1.3.
NGINX Ecosystem Vulnerabilities (CVE-2026-1642)
A widespread vulnerability has been identified across the NGINX suite, including NGINX Open Source, NGINX Plus, and the NGINX Ingress Controller.
Like the BIG-IP flaw, this carries a CVSS v4.0 score of 8.2. Because NGINX is often deployed as a reverse proxy or load balancer at the edge of the network, unpatched instances represent a significant attack surface.
NGINX Gateway Fabric and Instance Manager are also affected, requiring specific updates depending on the deployment model.
Container Ingress Services (CVE-2026-22549)
For environments utilizing Kubernetes or OpenShift, the BIG-IP Container Ingress Services (CIS) contains a vulnerability scoring 6.9 (CVSS v4.0). This issue affects versions 2.0.0 through 2.20.1. A patch is available in version 2.20.2.
The following table outlines the critical components requiring immediate attention.
| CVE ID | Component | Severity (CVSS v4.0) | Affected Versions |
|---|---|---|---|
| CVE-2026-22548 | BIG-IP Adv. WAF / ASM | 8.2 (High) | 17.1.0 – 17.1.2 |
| CVE-2026-1642 | NGINX Plus | 8.2 (High) | R32 – R36 P1 |
| CVE-2026-1642 | NGINX Open Source | 8.2 (High) | 1.3.0 – 1.29.4 |
| CVE-2026-1642 | NGINX Ingress Controller | 8.2 (High) | 5.3.0 – 5.3.2 |
| CVE-2026-22549 | BIG-IP Container Ingress | 6.9 (Medium) | 2.0.0 – 2.20.1 |
| CVE-2026-20730 | BIG-IP Edge Client (Win) | 2.0 (Low) | 7.2.5 – 7.2.6.1 |
| CVE-2026-20732 | BIG-IP Config Utility | 2.3 (Low) | 17.1.0 – 17.1.3 |
F5 also noted a security exposure regarding BIG-IP SMTP configuration (K000156643). This is not a software bug but a configuration risk that could allow unauthorised mail relay or information disclosure.
Admins should review their SMTP settings in BIG-IP modules, particularly in version 17.x branches, and apply the configuration hardening introduced in version 17.5.1.4 or 21.0.0.1.
Mitigation Strategy
Organizations using BIG-IP or NGINX products should:
- Inventory Assets: Identify all instances of BIG-IP WAF, NGINX Plus/Open Source, and Container Ingress Services.
- Verify Versions: Compare current installs against the “Affected Versions” column above.
- Patch: Schedule emergency change windows to apply the relevant fixes.
- Hardening: Review SMTP configurations on BIG-IP appliances to mitigate the disclosed exposure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google