Critical Flaws in F5 BIG-IP and NGINX Prompt Urgent Security Patches

F5 has released its latest security update, fixing several vulnerabilities across its products. Although F5 lists some of these issues as “medium” under its internal scale, the newer CVSS v4.0 system rates the main ones at 8.2, which is considered high risk for enterprise environments.

The update mainly affects BIG-IP Advanced WAF, NGINX products, and BIG-IP Container Ingress Services. Since these systems often handle incoming application traffic, leaving them unpatched could expose organizations to serious attacks.

All about the vulnerability

BIG-IP Advanced WAF & ASM (CVE-2026-22548)
This flaw affects the Web Application Firewall and Application Security Manager modules on BIG-IP devices. Attackers could potentially bypass security protections or disrupt services. It impacts versions 17.1.0 to 17.1.2, and the fix is included in 17.1.3.

NGINX Vulnerability (CVE-2026-1642)
A major issue was found across the NGINX ecosystem, including NGINX Plus, Open Source, and the Ingress Controller. Because NGINX often runs at the edge of networks as a reverse proxy or load balancer, vulnerable systems could become easy targets. This issue also carries a high severity score.

BIG-IP Container Ingress Services (CVE-2026-22549)
For organizations using Kubernetes or OpenShift, a vulnerability affects Container Ingress Services versions 2.0.0 through 2.20.1. A patched version is available in 2.20.2.

Affected Components

CVE	Product	Severity	Affected Versions
CVE-2026-22548	BIG-IP Advanced WAF / ASM	High	17.1.0 – 17.1.2
CVE-2026-1642	NGINX (Plus, Open Source, Ingress)	High	Multiple versions
CVE-2026-22549	BIG-IP Container Ingress	Medium	2.0.0 – 2.20.1

F5 also warned about a configuration risk related to SMTP settings in BIG-IP systems. This isn’t a software bug but could allow misuse if not properly secured. Administrators should review and harden their configurations.