Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Multiple Vulnerabilities in F5 NGINX, BIG-IP and BIG-IQ

18 May 2026

F5 has released security updates to address multiple vulnerabilities in NGINX, BIG-IP, and BIG-IQ. Users and administrators of affected products are advised to update to the latest versions immediately.

Background

F5 has released security updates to address a heap buffer overflow vulnerability (CVE-2026-42945) in the ngx_http_rewrite_module affecting NGINX Plus and NGINX Open Source, an incorrect use of privileged APIs vulnerability (CVE-2026-41225) affecting BIG-IP iControl REST, and an authenticated remote code execution vulnerability (CVE-2026-41957) affecting BIG-IP and BIG-IQ configuration utility in their monthly advisory.

These vulnerabilities have a Common Vulnerability Scoring System (CVSS v3.1) score of 8.1, 9.1, and 8.8 out of 10 respectively.

Impact

Successful exploitation of these vulnerabilities could lead to the following:

  • CVE-2026-42945: Due to a heap buffer overflow vulnerability in the ngx_http_rewrite_module, an unauthenticated attacker could send crafted HTTP requests to cause a denial of service condition on the NGINX system, or trigger a code execution on systems with Address Space Layout Randomisation (ASLR) disabled.

  • CVE-2026-41225: Due to incorrect use of privileged APIs in BIG-IP iControl REST, a highly privileged authenticated attacker with network access to the affected iControl REST endpoint through the BIG-IP management port or self IP addresses could escalate their privileges or bypass Appliance mode restrictions on the affected system.

  • CVE-2026-41957: Due to deserialisation of untrusted data in the BIG-IP and BIG-IQ Configuration utility, an authenticated attacker could execute arbitrary system commands, create or delete files, or disable services on the affected system.

Known Exploitation

CVE-2026-42945 is being actively exploited in the wild. A proof of concept is publicly available.

Affected Products

For CVE-2026-42945 (NGINX Plus and NGINX Open Source):

  • NGINX Plus: versions R32 through R36

  • NGINX Open Source: versions 0.6.27 through 0.9.7 (no fix available), and 1.0.0 through 1.30.0

  • NGINX Instance Manager: versions 2.16.0 through 2.22.0

  • F5 WAF for NGINX 5.9.0 through 5.12.1

  • NGINX App Protect WAF 4.9.0 through 4.16.0, and 5.1.0 through 5.8.0

  • F5 DoS for NGINX 4.8.0

  • NGINX App Protect DoS 4.3.0 through 4.7.0

  • NGINX Gateway Fabric 1.3.0 through 1.6.2, and 2.0.0 through 2.6.0

  • NGINX Ingress Controller 3.5.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.4.2

For CVE-2026-41225 (BIG-IP iControl REST):

  • BIG-IP (all modules): versions 16.1.0 through 16.1.6, 17.1.0 through 17.1.3, 17.5.0 through 17.5.1, and 21.0.0 

For CVE-2026-41957 (BIG-IP and BIG-IQ):

  • BIG-IP (all modules): versions 16.1.0 through 16.1.6, 17.1.0 through 17.1.3, and 17.5.0 through 17.5.1

  • BIG-IQ Centralised Management: version 8.4.0

Mitigation

Users and administrators of affected products are advised to update to the latest versions immediately.

If immediate patching is not feasible, administrators may consider implementing the following workarounds:

For CVE-2026-42945:

  • Use named captures instead of unnamed captures in rewrite definitions

For CVE-2026-41225:

  • Block iControl REST access through the self IP address

For CVE-2026-41957:

  • Block Configuration utility access through self IP addresses

References

https://my.f5.com/manage/s/article/K000160932

https://my.f5.com/manage/s/article/K000161019

https://depthfirst.com/nginx-rift

https://my.f5.com/manage/s/article/K000156761

https://my.f5.com/manage/s/article/K000160916

https://nvd.nist.gov/vuln/detail/CVE-2026-42945

https://nvd.nist.gov/vuln/detail/CVE-2026-41957

https://nvd.nist.gov/vuln/detail/CVE-2026-41225

https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html

https://www.securityweek.com/f5-patches-over-50-vulnerabilities

Back to top