
The network equipment manufacturer F5 has published important security updates for various BIG-IP products.
Due to multiple security vulnerabilities, enterprise networks using F5 products are at risk. The company has now released its quarterly security update. To date, there are no indications of attacks in the wild.
Because attackers following successful attacks in the context of BIG-IP can often access otherwise protected areas of networks, administrators should apply patches promptly.
Various Threats
If this is not done, attackers can target BIG-IP (all modules) and BIG-IQ Centralized Management for code execution attacks (CVE-2026-41957 [1] “high“). However, attackers must already be authenticated. The developers state they have closed the vulnerability in versions 17.1.3.1, 17.5.1.4 and 21.0.0.
However, third-party software such as NGINX Plus and NGINX Open Source are also affected. Here, attackers can execute malicious code without authentication via crafted HTTP requests (CVE-2026-42945 [2] “critical“).
Additionally, there are security updates for various other BIG-IP components and iControl REST. These areas can experience SSL errors and DoS conditions, among other issues. The latter attack leads to crashes, which in the context of networks can cause far-reaching disruptions. For example, instances critical for business operations may become unavailable. Furthermore, attackers can bypass restrictions or obtain higher user privileges to spread further.
Install Patches
Because the list of available security updates would exceed the scope of this report, administrators must review the advisories in the security section of the F5 website [3] and search for the security updates relevant to their environment.
(des [5])
URL of this article:https://www.heise.de/-11294929
Links in this article:
- https://my.f5.com/manage/s/article/K000156761
- https://my.f5.com/manage/s/article/K000158029
- https://my.f5.com/manage/s/article/K000160932
-
heise security PRO
- mailto:des@heise.de
Copyright © 2026 Heise Medien
heise security News