F5's latest quarterly security advisory details fixes for more than 50 vulnerabilities in BIG-IP, BIG-IQ, and NGINX. The most critical is CVE-2026-42945, a DoS vulnerability in NGINX's ngx_http_rewrite_module that can cause heap buffer overflow and potentially code execution if ASLR is disabled. CVE-2026-41225 affects iControl REST, allowing authenticated users with Manager permissions to create configuration objects and execute commands, potentially bypassing appliance mode restrictions and crossing security boundaries. Additional high-severity vulnerabilities include authenticated remote code execution and command injection in BIG-IP, as well as flaws leading to restriction bypass, file tampering, and multiple DoS conditions primarily causing the Traffic Management Microkernel to terminate. Medium-severity issues include security bypass, privilege escalation, information disclosure, code injection, and local file tampering. No known exploits have been observed in the wild. F5 has released official patches to address all these vulnerabilities.

The vulnerabilities collectively could allow denial-of-service conditions, remote code execution, command injection, privilege escalation, security bypass, and information disclosure in affected F5 products. The most severe vulnerability (CVE-2026-42945) can cause service disruption and potentially remote code execution if ASLR is disabled. The iControl REST vulnerability (CVE-2026-41225) allows highly privileged authenticated attackers to escalate privileges or bypass security restrictions, potentially crossing security boundaries. Other issues could lead to arbitrary file tampering and multiple DoS conditions affecting system stability. No exploitation in the wild has been reported to date.

F5 has released official patches addressing all identified vulnerabilities in BIG-IP, BIG-IQ, and NGINX. Organizations using these products should apply the vendor-provided updates promptly to mitigate the risks. Since the vulnerabilities affect on-premises products, administrators must follow F5's quarterly security notification and update guidance. There is no indication that any vulnerabilities are already mitigated or require no action. No known exploits in the wild reduce immediate urgency but patching remains critical.