F5 threat watch

F5 CVE coverage for BIG-IP, application delivery controllers, WAF, VPN, and internet-facing app security infrastructure.

Watch items

Recent F5 watch items

Showing the 20 most recent items, newest first. Each row links to the official advisory.

20 rows · sorted newest first

Operations view

F5 vulnerability (CVE-2026-43624)

HIGH
watchNVDCVE-2026-43624

F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files by passing unsanitized user-supplied project names directly to os.path.join() without validating the resulting path stays within the intended base directory. Attackers can supply absolute path arguments such as /tmp/EVIL to override the base directory entirely and create arbitrary directories with attacker-controlled JSON content at any filesystem path writable by the server process.

Jun 1, 2026, 2:16 PMOfficial source

njs vulnerability (CVE-2026-8711)

CRITICAL
watchNVDCVE-2026-8711

NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

May 19, 2026, 10:16 AMOfficial source

dos vulnerability (CVE-2026-42946)

HIGH
watchNVDCVE-2026-42946

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

May 13, 2026, 11:16 AMOfficial source

nginx open source vulnerability (CVE-2026-27784)

HIGH
watchNVDCVE-2026-27784

The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Mar 24, 2026, 10:16 AMOfficial source

big-ip access policy manager vulnerability (CVE-2025-53521)

CRITICAL
activeCISA KEVCVE-2025-53521

When a BIG-IP APM access policy is configured on a virtual server, specific malicious traffic can lead to Remote Code Execution (RCE). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Oct 15, 2025, 9:15 AMOfficial source

F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability

critical
activeCISA KEVCVE-2023-46747

F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46748. Known ransomware use: Known.

Oct 30, 2023, 7:00 PMOfficial source

F5 BIG-IP Configuration Utility SQL Injection Vulnerability

critical
activeCISA KEVCVE-2023-46748

F5 BIG-IP Configuration utility contains an SQL injection vulnerability that may allow an authenticated attacker with network access through the BIG-IP management port and/or self IP addresses to execute system commands. This vulnerability can be used in conjunction with CVE-2023-46747.

Oct 30, 2023, 7:00 PMOfficial source

F5 BIG-IP Missing Authentication Vulnerability

critical
activeCISA KEVCVE-2022-1388

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, or disabling services. Known ransomware use: Known.

May 9, 2022, 7:00 PMOfficial source

F5 BIG-IP Traffic Management Microkernel Buffer Overflow

critical
activeCISA KEVCVE-2021-22991

The Traffic Management Microkernel of BIG-IP ASM Risk Engine has a buffer overflow vulnerability, leading to a bypassing of URL-based access controls.

Jan 17, 2022, 6:00 PMOfficial source

F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability

critical
activeCISA KEVCVE-2021-22986

F5 BIG-IP and BIG-IQ Centralized Management contain a remote code execution vulnerability in the iControl REST interface that allows unauthenticated attackers with network access to execute system commands, create or delete files, and disable services. Known ransomware use: Known.

Nov 2, 2021, 7:00 PMOfficial source

F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability

critical
activeCISA KEVCVE-2020-5902

F5 BIG-IP Traffic Management User Interface (TMUI) contains a remote code execution vulnerability in undisclosed pages. Known ransomware use: Known.

Nov 2, 2021, 7:00 PMOfficial source

big-ip local traffic manager vulnerability (CVE-2017-6167)

HIGH
watchNVDCVE-2017-6167

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2, race conditions in iControl REST may lead to commands being executed with different privilege levels than expected.

Dec 21, 2017, 11:29 AMOfficial source

big-ip local traffic manager vulnerability (CVE-2017-6164)

HIGH
watchNVDCVE-2017-6164

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator and WebSafe software version 13.0.0, 12.0.0 - 12.1.2, 11.6.0 - 11.6.1 and 11.5.0 - 11.5.4, in some circumstances, Traffic Management Microkernel (TMM) does not properly handle certain malformed TLS1.2 records, which allows remote attackers to cause a denial-of-service (DoS) or possible remote command execution on the BIG-IP system.

Dec 21, 2017, 11:29 AMOfficial source

big-ip local traffic manager vulnerability (CVE-2017-6151)

HIGH
watchNVDCVE-2017-6151

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator and WebSafe software version 13.0.0, undisclosed requests made to BIG-IP virtual servers which make use of the "HTTP/2 profile" may result in a disruption of service to TMM.

Dec 21, 2017, 11:29 AMOfficial source

big-ip local traffic manager vulnerability (CVE-2017-6140)

HIGH
watchNVDCVE-2017-6140

On the BIG-IP 2000s, 2200s, 4000s, 4200v, i5600, i5800, i7600, i7800, i10600,i10800, and VIPRION 4450 blades, running version 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.6.0, 11.6.1, 12.0.0, 12.1.0, 12.1.1 or 12.1.2 of BIG-IP LTM, AAM, AFM, Analytics, ASM, DNS, GTM or PEM, an undisclosed sequence of packets sent to Virtual Servers with client or server SSL profiles may cause disruption of data plane services.

Dec 21, 2017, 11:29 AMOfficial source

big-ip local traffic manager vulnerability (CVE-2017-6138)

HIGH
watchNVDCVE-2017-6138

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2, malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with BIG-IP APM profiles, regardless of settings. The issue is also exposed with the non-default "normalize URI" configuration options used in iRules and/or BIG-IP LTM policies.

Dec 21, 2017, 11:29 AMOfficial source

big-ip local traffic manager vulnerability (CVE-2017-6135)

HIGH
watchNVDCVE-2017-6135

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and WebSafe software version 13.0.0, a slow memory leak as a result of undisclosed IPv4 or IPv6 packets sent to BIG-IP management port or self IP addresses may lead to out of memory (OOM) conditions.

Dec 21, 2017, 11:29 AMOfficial source

big-ip local traffic manager vulnerability (CVE-2017-6133)

HIGH
watchNVDCVE-2017-6133

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM and WebSafe software version 13.0.0 and 12.1.0 - 12.1.2, undisclosed HTTP requests may cause a denial of service.

Dec 21, 2017, 11:29 AMOfficial source

big-ip local traffic manager vulnerability (CVE-2017-6132)

HIGH
watchNVDCVE-2017-6132

In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM and Websafe software version 13.0.0, 12.0.0 to 12.1.2, 11.6.0 to 11.6.1 and 11.5.0 - 11.5.4, an undisclosed sequence of packets sent to BIG-IP High Availability state mirror listeners (primary and/or secondary IP) may cause TMM to restart.

Dec 21, 2017, 11:29 AMOfficial source

big-ip access policy manager vulnerability (CVE-2017-6129)

HIGH
watchNVDCVE-2017-6129

In F5 BIG-IP APM software version 13.0.0 and 12.1.2, in some circumstances, APM tunneled VPN flows can cause a VPN/PPP connflow to be prematurely freed or cause TMM to stop responding with a "flow not in use" assertion. An attacker may be able to disrupt traffic or cause the BIG-IP system to fail over to another device in the device group.

Dec 21, 2017, 11:29 AMOfficial source

Vendor watch hub

What this page covers

The F5watch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.

  • Confirm whether recent F5 activity overlaps with your environment.
  • Prioritize advisories by MSP-relevance score, severity, and status.
  • Turn the signal into an assessment, briefing, or managed-service engagement with ITECS.

At a glance

Tracked

56

Active

7

Featured

16

Unique CVEs

20

Most recent entry

Jun 1, 2026, 2:16 PM

Feed refreshes daily · 5:15 a.m. Central

Sources·CISA KEV and NVD (product vendor coverage)

"Most recent entry" is the newest item the upstream feed has published — not our sync time.

Related vendors

Other security vendors in the radar

Vendor watch FAQ

Common questions

What is the F5 threat watch page?

It is the F5-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.

How should teams use the F5 watch page?

Use it to confirm whether current F5 issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.

Can ITECS help respond to F5 security issues?

Yes. ITECS can help map F5 advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.