Regulatory Triage ICT Providers

F5

Network & Security

Period: 7d 14d 30d 90d
23
Open CVEs
0
Exploited
0
KEV
4
Unpatched
0
No Workaround
18
Internet-facing

Why this provider is risky now

This provider has 23 open CVE(s) in the last 30 days. 4 have no vendor patch. 18 affect internet-facing services. 4 impact the management/identity plane.

4 Unpatched 4 Mgmt / Admin Plane 1 Public PoC 18 Internet-facing

Top Risky CVEs

CVE-2026-33032
Act Now
Unpatched
Remote unauthenticated nginx service takeover in nginx-ui's MCP integration allows network attackers to create, modify, or delete nginx configuration files and trigger automatic reloads without authentication. The /mcp_message endpoint lacks authentication middleware while exposing the same MCP tool handlers as the protected /mcp endpoint, and the IP whitelist defaults to empty (allow-all). Attackers can inject malicious server blocks to intercept credentials, exfiltrate backend topology, or crash nginx with invalid configs. CVSS 9.8 (Critical) with network attack vector, no authentication required, and high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, though detailed proof-of-concept HTTP request provided in advisory.
Within 24 hours: Immediately identify all nginx-ui deployments in your environment and isolate affected instances from untrusted networks; implement network-level access controls to restrict /mcp_message endpoint to trusted administrative IPs only. Within 7 days: Monitor vendor (nginx-ui maintainers) for patch release; subscribe to security advisories for update notifications; conduct forensic review of nginx configuration change logs for unauthorized modifications since deployment date. Within 30 days: Apply vendor-released patch immediately upon availability; validate patch installation across all instances; restore nginx configurations from clean backups if compromise is suspected; implement permanent network segmentation and WAF rules blocking unauthenticated /mcp_message requests.
Edge exposure ICT dependency No patch available Management plane PoC
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-306: Missing Authentication for Critical Function)
  • Third-party ICT: F5, SUSE
  • Proof of concept available
  • No patch available
  • Management plane (Missing Authentication for Critical Function)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: F5 (Network & Security)
  • ICT provider: SUSE (Infrastructure & Virtualization)
  • No remediation available
  • Authentication / access control weakness
9.8
CVSS
0.1%
EPSS
69
Priority
CVE-2026-33026
Act Now
Remote authenticated attackers can achieve arbitrary command execution on nginx-ui v2.3.3 servers by manipulating encrypted backup archives during restoration. The vulnerability stems from a circular trust model where backup integrity metadata is encrypted using the same AES key provided to clients, allowing attackers to decrypt backups, inject malicious configuration (including command execution directives), recompute valid hashes, and re-encrypt the archive. The restore process accepts tampered backups despite hash verification warnings. Publicly available exploit code exists with detailed proof-of-concept demonstrating configuration injection leading to arbitrary command execution. Vendor-released patch available in nginx-ui v2.3.4. This represents a regression from GHSA-g9w5-qffc-6762, which addressed backup access control but not the underlying cryptographic design flaw.
Within 24 hours: Identify all nginx-ui instances running v2.3.3 or earlier across your infrastructure using asset inventory and vulnerability scanning. Within 7 days: Upgrade all affected deployments to nginx-ui v2.3.4 or later per vendor advisory. Within 30 days: Audit backup integrity logs and configuration history for signs of unauthorized modification; rotate all nginx credentials and cryptographic keys used in backup operations post-patch.
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: Docker, F5, SUSE
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • ICT provider: F5 (Network & Security)
  • ICT provider: SUSE (Infrastructure & Virtualization)
9.4
CVSS
0.0%
EPSS
47
Priority
CVE-2026-34759
Act Now
Authentication bypass in OneUptime notification API endpoints allows unauthenticated remote attackers to manipulate Twilio account resources via missing authorization middleware. Affects all versions prior to 10.0.42. Attackers can purchase phone numbers on victim Twilio accounts and delete configured alerting numbers by exploiting unprotected /notification/ endpoints, using leaked projectId values from public Status Page APIs. No public exploit identified at time of analysis, though attack complexity is rated high (CVSS AC:H) and proof-of-concept details are available in the GitHub security advisory.
Within 24 hours: Identify all OneUptime instances and document current versions via application settings or API diagnostics. Within 7 days: Upgrade all affected OneUptime deployments to version 10.0.42 or later, testing notification workflows post-upgrade. Within 30 days: Audit Twilio account activity logs for unauthorized phone number purchases or deletions since OneUptime deployment, and review Status Page API access controls to limit projectId exposure.
Edge exposure ICT dependency Management plane Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: F5
  • Management plane (Missing Authorization)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: F5 (Network & Security)
  • Authentication / access control weakness
9.2
CVSS
0.1%
EPSS
46
Priority
CVE-2026-34457
Act Now
Authentication bypass in OAuth2 Proxy versions before 7.15.2 allows remote unauthenticated attackers to access protected resources when deployed with nginx auth_request integration and health check features enabled. Attackers can spoof health check User-Agent headers to bypass OAuth2 authentication entirely, gaining unauthorized access to upstream applications. CVSS 9.1 (Critical) reflects network-accessible, low-complexity attack requiring no privileges or user interaction. No active exploitation confirmed (not in CISA KEV), but the trivial attack complexity and authentication bypass impact warrant immediate patching in affected deployments using nginx auth_request with --ping-user-agent or --gcp-healthchecks flags.
Within 24 hours: Identify all deployments of OAuth2 Proxy and determine which instances use nginx auth_request with health check features (--ping-user-agent or --gcp-healthchecks flags enabled). Within 7 days: Upgrade all affected OAuth2 Proxy instances to version 7.15.2 or later. Within 30 days: Conduct access log review for the past 90 days to identify any suspicious health check User-Agent patterns that may indicate exploitation attempts.
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: F5
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: F5 (Network & Security)
9.1
CVSS
0.1%
EPSS
46
Priority
CVE-2026-40575
Act Now
### Impact A configuration-dependent authentication bypass exists in OAuth2 Proxy. Deployments are affected when all of the following are true: * OAuth2 Proxy is configured with `--reverse-proxy` *
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: F5
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: F5 (Network & Security)
9.1
CVSS
46
Priority
CVE-2026-40487
This Week
File upload validation bypass in Postiz social media scheduler (versions before 2.21.6) allows authenticated users to upload executable file types (HTML, SVG) with spoofed Content-Type headers, achieving stored XSS when nginx serves files using their original extensions. Attackers can hijack sessions and take over other user accounts. CVSS 8.9 (High) reflects network attack vector with low complexity requiring only low-privilege authentication and user interaction. EPSS data not provided. Not listed in CISA KEV. Vendor patch released in version 2.21.6.
Within 24 hours: Identify all Postiz deployments and confirm current version numbers. Within 7 days: Upgrade all Postiz instances to version 2.21.6 or later per vendor patch release. Verify patch deployment across all affected systems. Within 30 days: Conduct audit of file upload logs since deployment to identify any suspicious uploads with mismatched Content-Type headers; reset session tokens for all users as a precautionary measure.
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-79: Cross-site Scripting (XSS))
  • Third-party ICT: F5
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: F5 (Network & Security)
8.9
CVSS
0.0%
EPSS
45
Priority
CVE-2026-27654
This Week
Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside the document root when MOVE/COPY methods are combined with prefix location and alias directives. The vulnerability affects NGINX Open Source and NGINX Plus installations using vulnerable configurations, though the low-privilege worker process context limits the scope of file manipulation. No patch is currently available for this high-severity issue.
Within 24 hours: Conduct asset inventory to identify all NGINX deployments using DAV modules with prefix locations and alias directives; document exposure scope. Within 7 days: Implement compensating controls (disable DAV methods if not business-critical, apply WAF rules blocking malformed MOVE/COPY requests, isolate affected servers). Within 30 days: Monitor vendor advisories for patch availability; plan upgrade to patched version immediately upon release; test patches in non-production environments before deployment.
ICT dependency Patched
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: F5, Red Hat, SUSE
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: F5 (Network & Security)
  • ICT provider: Red Hat (Infrastructure & Virtualization)
  • ICT provider: SUSE (Infrastructure & Virtualization)
8.8
CVSS
0.0%
EPSS
44
Priority
CVE-2026-33030
This Week
Unpatched
Insecure Direct Object Reference (IDOR) in nginx-ui up to v2.3.3 allows authenticated low-privilege users to access, modify, and delete any resource across all user accounts, including plaintext DNS provider API tokens (Cloudflare, AWS Route53, Alibaba Cloud) and ACME private keys. The application's base Model struct lacks user_id fields, and all resource endpoints query by ID without ownership verification. CVSS 8.8 reflects scope change to external services—stolen Cloudflare tokens enable DNS hijacking and fraudulent certificate issuance. No public exploit identified at time of analysis, but trivial to execute via standard HTTP requests. Vendor-released patch: v2.3.4.
Within 24 hours: inventory all nginx-ui deployments and identify current versions in use; document all connected DNS providers and ACME services. Within 7 days: upgrade nginx-ui to v2.3.4 or later across all instances. Within 30 days: conduct credential audit-rotate all DNS provider API tokens, ACME private keys, and any certificates issued from affected systems; review access logs for unauthorized resource modifications.
Edge exposure ICT dependency No patch available
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing (CWE-78: OS Command Injection)
  • Third-party ICT: Docker, F5, SUSE
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: Docker (Dev Platforms & CI/CD)
  • ICT provider: F5 (Network & Security)
  • ICT provider: SUSE (Infrastructure & Virtualization)
  • No remediation available
8.8
CVSS
0.0%
EPSS
44
Priority
CVE-2026-26061
This Week
Fleet server memory exhaustion via unbounded request bodies allows unauthenticated denial-of-service against multiple HTTP endpoints. The vulnerability affects Fleet v4 (github.com/fleetdm/fleet/v4) and was responsibly disclosed by @fuzzztf. Attackers can exhaust available memory and force server restarts by sending oversized or repeated HTTP requests to unauthenticated endpoints lacking size limits. No public exploit identified at time of analysis, though the attack mechanism is straightforward given the CWE-770 resource allocation vulnerability class.
Within 24 hours: Implement network-level request size limits and rate limiting on Fleet HTTP endpoints; document current Fleet v4 version in use. Within 7 days: Deploy WAF rules to enforce maximum request body sizes (recommend 1MB limit) on all unauthenticated Fleet endpoints; segment Fleet server network access where feasible. Within 30 days: Monitor vendor security advisories for patched Fleet v4 release; plan immediate upgrade to patched version upon availability; test patch in non-production environment before production deployment.
Edge exposure ICT dependency Patched
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: F5, SUSE
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: F5 (Network & Security)
  • ICT provider: SUSE (Infrastructure & Virtualization)
8.7
CVSS
0.1%
EPSS
44
Priority
CVE-2026-27651
This Week
NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authentication is configured with retry-enabled backend servers. This denial of service vulnerability affects NGINX Plus and NGINX Open Source with no patch currently available, allowing unauthenticated remote attackers to terminate worker processes and degrade service availability.
Within 24 hours: Identify all NGINX instances with ngx_mail_auth_http_module enabled and document exposure scope. Within 7 days: Implement network segmentation to restrict access to mail proxy services and deploy WAF rules to filter malformed requests targeting authentication endpoints. Within 30 days: Evaluate upgrading to patched NGINX versions when available, or migrate to alternative mail authentication solutions if critical availability is required.
ICT dependency Patched
Why flagged?
NIS2 Relevant
  • HIGH severity
  • Third-party ICT: F5, Red Hat, SUSE
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • HIGH severity
  • ICT provider: F5 (Network & Security)
  • ICT provider: Red Hat (Infrastructure & Virtualization)
  • ICT provider: SUSE (Infrastructure & Virtualization)
8.7
CVSS
0.0%
EPSS
44
Priority

By Exposure

Internet-facing
18
Mgmt / Admin Plane
4
Identity / Auth
4
Internal only
5

By Exploitability

Known exploited
0
Public PoC
1
High EPSS (>30%)
0
Remote unauthenticated
13
Local only
3

By Remediation

Patch available
19
No patch
4
Workaround available
18
No workaround
0

Affected Services / Product Families

Nginx
23 CVE(s)
CVE-2026-27651 HIGH Patched
CVE-2026-27654 HIGH Patched
CVE-2026-27784 HIGH Patched
CVE-2026-28753 MEDIUM Patched
CVE-2026-28755 MEDIUM Patched
CVE-2026-32647 HIGH Patched
CVE-2026-33661 HIGH Patched
CVE-2026-26061 HIGH Patched
CVE-2026-33026 CRITICAL Patched
CVE-2026-33032 CRITICAL PoC Unpatched
+ 13 more

Recommended Actions

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy