F5 Quarterly Security Notification LiveStream - February 4 2026

Key Concepts

• QSN (Quarterly Security Notification): F5’s regular report detailing newly discovered security vulnerabilities and exposures.
• CVE (Common Vulnerabilities and Exposures): A dictionary of publicly known information security vulnerabilities and exposures.
• CVSS 3.1 (Common Vulnerability Scoring System): A standardized method for assessing the severity of security vulnerabilities.
• CDEES: Likely refers to Common Development Environment & Engineering Services, indicating vulnerabilities within these areas. (Context suggests this is an internal F5 categorization).
• Control Plane: The part of a network device that manages and controls the data plane.
• Data Plane: The part of a network device that forwards data packets.
• BIG-IP: F5’s application delivery controller product line.
• APM (Advanced Persistent Management): Access Proxy Manager, a component of BIG-IP.
• EngineX: F5’s open-source and commercial ingress controller.

February 2026 Quarterly Security Notification – Detailed Summary

I. Overview of the February 2026 QSN

The February 2026 Quarterly Security Notification (QSN) from F5 details six security-related issues: five classified as CDEES (likely internal F5 categorization) and one as a security exposure. The notification was publicly disclosed at 7:00 a.m. Pacific Time. Notably, this QSN contains no critical or high-severity vulnerabilities according to the CVSS 3.1 scoring system. Two of the issues were reported by external researchers – one resulting in a CVE, and the other identified as a security exposure. One issue was identified as publicly known due to its presence on EngineX GitHub. Crucially, none of these issues are related to the October 2025 security incident.

II. Impacted Products & Versions

The following F5 products are affected by the vulnerabilities and exposure detailed in this QSN:

• BIG-IP T-mos: Requires version 21.0.0.1 or later to address the vulnerabilities. Versions 17.5.1.4 and 17.1.3.1 are also specified as fixes.
• BIG-IP APM Edge Client: Requires version 7.2.6.2 or later.
• BIG-IP Container Ingress Services: Requires version 2.20.2 or later.
• EngineX Open Source: Requires version 1.28.22 or 1.29.5 or later.
• EngineX Plus: Requires R32P4, R35P1, or R36P2 or later.

III. Vulnerability Breakdown & Severity

The breakdown of the six issues by severity (using CVSS 3.1) is as follows:

• Critical: 0
• High: 0
• Medium: 3
• Low: 2
• Security Exposure: 1

The issues are distributed across different product components:

• BIG-IP T-mos: Affected by 3 issues.
• BIG-IP Container Ingress Services: Affected by 1 issue.
• BIG-IP APM Edge Client: Affected by 1 issue.
• EngineX Open Source & Plus: Affected by 1 issue.

Further categorization reveals that:

• Control Plane: Affected by 3 issues.
• Data Plane: Affected by 2 issues.
• Edge Client: Affected by 1 issue.

IV. Issue Origins & Reporting

The origin of the reported issues is noteworthy:

• External Researcher (CVE): One vulnerability was reported by an external researcher and assigned a CVE identifier.
• External Researcher (Security Exposure): One issue was reported by an external researcher but classified as a security exposure rather than a vulnerability, and therefore does not have a CVE.
• Publicly Known (EngineX GitHub): One vulnerability was identified as already publicly known due to its presence on the EngineX GitHub repository.

V. Future Notifications

The next QSN is scheduled for release on May 13, 2026.

VI. Stream Discussion & Conclusion

The presentation of the QSN was notably concise, described by Jason Rom as the shortest stream (excluding test streams) in the history of Dev Central’s broadcasts. The QSN details are available on my.com. The overall assessment is that this QSN represents a relatively good report, lacking critical or high-severity vulnerabilities.

Synthesis:

The February 2026 QSN highlights F5’s commitment to proactively addressing security concerns. While six issues were identified, their relatively low severity (no critical or high vulnerabilities) and the diverse origins of reporting (external researchers and public disclosure) demonstrate a robust security ecosystem. The provided version information allows administrators to quickly identify and remediate potential risks within their environments. The QSN serves as a valuable resource for maintaining the security posture of F5 products.