K000161614: Out-of-band Security Notification (June 17, 2026)

Security Advisory Description On June 17, 2026, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. High CVEs Medi...

Vulnerabilities fixed in F5 Networks BIG-IP, F5OS and NGINX App Protect WAF

F5 Networks has fixed vulnerabilities in the BIG-IP and F5OS product lines and NGINX App Protect WAF. The vulnerabilities include several configuration issues and exploit vectors. A malicious party can exploit the vulnerabilities to launch attacks that can lead to the following categories of...

CVE-2025-58474

When BIG-IP Advanced WAF is configured on a virtual server with Server-Side Request Forgery SSRF protection or when an NGINX server is configured with App Protect Bot Defense, undisclosed requests can disrupt new client requests. Note: Software versions which have reached End of Technical Support...

CVE-2025-58474

CVE-2025-58474 affects BIG-IP BIG-IP Advanced WAF/ASM and NGINX App Protect DNS lookup vulnerability. When BIG-IP Advanced WAF is on a virtual server with SSRF protection or NGINX App Protect Bot Defense is used, undisclosed requests can disrupt new client requests, enabling potential DoS on the ...

CVE-2025-58474 BIG-IP Advanced WAF and ASM and NGINX App Protect DNS lookup vulnerability

When BIG-IP Advanced WAF is configured on a virtual server with Server-Side Request Forgery SSRF protection or when an NGINX server is configured with App Protect Bot Defense, undisclosed requests can disrupt new client requests. Note: Software versions which have reached End of Technical Support...

CVE-2025-58474 BIG-IP Advanced WAF and ASM and NGINX App Protect DNS lookup vulnerability

When BIG-IP Advanced WAF is configured on a virtual server with Server-Side Request Forgery SSRF protection or when an NGINX server is configured with App Protect Bot Defense, undisclosed requests can disrupt new client requests. Note: Software versions which have reached End of Technical Support...

K000148512: BIG-IP Advanced WAF and ASM and NGINX App Protect DNS lookup vulnerability CVE-2025-58474

Security Advisory Description When BIG-IP Advanced WAF is configured on a virtual server with Server-Side Request Forgery SSRF protection or when an NGINX server is configured with App Protect Bot Defense, undisclosed requests can disrupt new client requests. CVE-2025-58474 Impact Traffic is...

EUVD-2021-10168

Malware in sbrugna...

CVE-2021-23050

On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3 and NGINX App Protect on all versions before 3.5.0, when a cross-site request forgery CSRF-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the bd process to...

K000135944: Attack signature check security exposure

Security Advisory Description BIG-IP Advanced WAF, BIG-IP ASM, and NGINX App Protect systems incorrectly handle certain requests. This issue occurs when the following condition is met: BIG-IP Advanced WAF, BIG-IP ASM, and NGINX App Protect handle a crafted request with the parameter value. Impact...

K30911244: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature check failure

Security Advisory Description The F5 Advanced Web Application Firewall Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature check may fail to detect and block certain HTTP requests when some signatures are disabled on the security policy and wildcard header. Impact The attack signatur...

K67397230: BIG-IP ASM, F5 Advanced WAF, and NGINX App Protect normalizing security exposure

Security Advisory Description The BIG-IP ASM, F5 Advanced Web Application Firewall Advanced WAF, and NGINX App Protect systems incorrectly normalize undisclosed strings. Impact The attack signature check fails to detect and block such requests, as expected of a security policy. Symptoms As a resu...

K70134152: BIG-IP ASM, F5 Advanced WAF, and NGINX App Protect encoded directory traversal security exposure

Security Advisory Description The BIG-IP ASM, F5 Advanced Web Application Firewall Advanced WAF, and NGINX App Protect systems may fail to detect encoded directory traversal in the URL. This issue occurs when the following condition is met: The affected security policy is enabled with an evasion...

K44553214: Web application firewall vulnerability CVE-2021-23050

Security Advisory Description When a cross-site request forgery CSRF-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the bd process to terminate. CVE-2021-23050 Impact Traffic is disrupted until the bd process restarts. This vulnerability allows a remote...

K41503304: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature bypass security exposure

Security Advisory Description The F5 Advanced Web Application Firewall Advanced WAF, BIG-IP ASM, and NGINX App Protect systems attack signature check may fail to match attack signature 200000128, as expected, for certain undisclosed requests. This issue occurs when all of the following conditions...

CVE-2021-23050

On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3 and NGINX App Protect on all versions before 3.5.0, when a cross-site request forgery CSRF-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the bd process to...

CVE-2021-23050

On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3 and NGINX App Protect on all versions before 3.5.0, when a cross-site request forgery CSRF-enabled policy is configured on a virtual server, an undisclosed HTML response may cause the bd process to...

CVE-2021-23050

CVE-2021-23050 affects BIG-IP Advanced WAF and BIG-IP ASM (and related NGINX App Protect) when a CSRF-enabled policy on a virtual server is configured. The vulnerability can cause the bd process to terminate due to an undisclosed HTML response, leading to DoS as described in vendor advisories. Af...