F5 Networks, a leading provider of enterprise networking equipment, disclosed four critical vulnerabilities and 17 others on Wednesday as the recent parade of major flaws needing patches marches ahead.
Three of the vulnerabilities would allow hackers to remotely execute code on target networks. It’s the second time in in two years that F5 has disclosed such a flaw. In 2020, both Cyber Command and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued warnings about the earlier reported vulnerabilities.
F5 joins Microsoft, SolarWinds and Accellion on the list of companies that have needed to release major patches in recent months. In the case of F5 so far, “We are not aware of any active exploits for these vulnerabilities,” spokesperson Rob Gruening said.
The flaws affect both the F5 BIG-IP local traffic manager and BIG-IQ centralized management software. The company announced fixes for all of the vulnerabilities.
Despite the lack of known exploits, cyber expert Matt Tait said on Twitter that he thought the latest F5 vulnerabilities might be deceptively worrisome.
“This bug is probably going to fly under the radar, but this is a much bigger deal than it looks because it says something is really really broken in the internal security process of F5 BIG-IP devices,” he said as part of a tweet thread outlining the threat.
Critical vulnerabilities are the highest level of flaw. F5 also revealed seven high severity vulnerabilities and 10 medium severity vulnerabilities.
“These vulnerabilities were discovered as a result of regular and continuous internal security testing of our solutions and in partnership with respected third parties working through F5’s security program,” wrote Kara Sprague, executive vice president and general manager of BIG-IP.
“Because we understand how critical BIG-IP and BIG-IQ are to our customers, as soon as these vulnerabilities were discovered we immediately began work on fixes and we published the security advisories as soon as we could supply our customers with fixed versions,” she continued.
Sean Lyngaas contributed to this article.