- 129/2026
- Critical
F5 has released security updates to address several vulnerabilities affecting multiple F5 products.
The addressed vulnerabilities could allow the attacker to conduct denial-of-service and man-in-the-middle attacks, gain elevated privileges, bypass security restrictions, manipulate files, perform cross-site request forgery (CSRF) attacks, obtain sensitive information, execute arbitrary code/commands, and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. BIG-IP iControl REST Vulnerability (CVE-2026-41225):
- CVSS: 9.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Security Bypass
2. BIG-IP and BIG-IQ Configuration Utility Vulnerability (CVE-2026-41957):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Access
Sample of the affected products:
- BIG-IP and BIG-IP PEM.
- BIG-IQ.
- NGINX Plus, NGINX Open Source, and NGINX Instance Manager.
- F5 WAF for NGINX.
- NGINX Ingress Controller.
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.