- 38/2026
- High
F5 has released security updates to address several vulnerabilities affecting multiple F5 products.
The addressed vulnerabilities could allow the attacker to perform denial-of-service attacks, obtain sensitive information, conduct man-in-the-middle attacks, and inject plain-text data into responses sent to clients by an upstream proxied server.
Sample of the addressed vulnerabilities:
1. BIG-IP Traffic Management Microkernel TMM DDoS Vulnerability (CVE-2026- 2507):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
2. NGINX OSS and NGINX Plus Man-in-the-Middle (MITM) Vulnerability (CVE- 2026-1642):
- CVSS: 5.9
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Consequences: Data Manipulation
Sample of the affected products:
- BIG-IP TMM.
- BIG-IP Advanced WAF/ASM.
- NGINX Ingress Controller.
- NGINX Gateway Fabric.
Vulnerabilities
- CVE-2026-2507
- CVE-2026-22548
- CVE-2026-1642
- CVE-2026-22549
- CVE-2026-20730
- CVE-2026-20732
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.