Cisco and F5 Address Multiple High-Severity Flaws in TelePresence, BIG-IP, and NGINX Products

Cisco and F5 Release Urgent Patches for High-Severity DoS and RCE Vulnerabilities

HIGH
February 5, 2026
4m read
Patch ManagementVulnerability

Related Entities

Organizations

Cisco F5

Products & Tech

Cisco TelePresence Collaboration Endpoint (CE)RoomOSCisco Meeting ManagementF5 BIG-IP NGINX NGINX Plus

CVE Identifiers

CVE-2026-20119
HIGH
CVEDetails.com CVE.org
CVE-2026-20098
HIGH
CVEDetails.com CVE.org
CVE-2026-22548
HIGH
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1499.004Impact

Endpoint Denial of Service

T1190Initial Access

Exploit Public-Facing Application

T1068Privilege Escalation

Exploitation for Privilege Escalation

T1557Credential Access

Man-in-the-Middle

Full Report

Executive Summary

Networking and security vendors Cisco and F5 have released critical security patches for their widely deployed products. The updates address several high-severity vulnerabilities that could allow unauthenticated attackers to cause denial-of-service (DoS) conditions, execute arbitrary commands with root privileges, and perform man-in-the-middle (MitM) attacks. The affected products include Cisco TelePresence, RoomOS, and Meeting Management software, as well as F5 BIG-IP and NGINX. While there are no reports of active exploitation in the wild for these specific flaws, their severity warrants immediate attention and patching by all affected organizations.

Vulnerabilities Addressed

Cisco Vulnerabilities

  • CVE-2026-20119 (High Severity): This vulnerability affects Cisco TelePresence Collaboration Endpoint (CE) and RoomOS software. An unauthenticated, remote attacker can trigger a denial-of-service (DoS) condition by sending a specially crafted meeting invitation to a vulnerable device. Successful exploitation causes the device to become unresponsive, requiring a manual restart.
  • CVE-2026-20098 (High Severity): This flaw exists in Cisco Meeting Management software. Due to improper input validation, an authenticated attacker can upload arbitrary files to the system. This could be leveraged to execute arbitrary commands with root privileges, leading to a full system compromise.

F5 Vulnerabilities

  • CVE-2026-22548 (High Severity): This vulnerability impacts F5 BIG-IP systems. When a specific web application firewall (WAF) policy is configured, an attacker can send a malicious request that causes the bd process to terminate, resulting in a DoS condition and traffic disruption.
  • CVE-2026-1642 (High Severity): This flaw affects NGINX Open Source and Plus instances configured as a proxy for upstream TLS servers. A man-in-the-middle attacker positioned between NGINX and the upstream server could inject malicious responses that are then passed on to the client, potentially leading to client-side code execution or information disclosure.

Affected Products

  • Cisco:
    • TelePresence Collaboration Endpoint (CE) Software
    • RoomOS Software
    • Meeting Management Software
  • F5:
    • BIG-IP (various modules)
    • NGINX Open Source Software (OSS)
    • NGINX Plus

Impact Assessment

The vulnerabilities pose a significant risk to network availability, integrity, and confidentiality.

  • The DoS flaws (CVE-2026-20119 and CVE-2026-22548) can disrupt critical business functions, such as video conferencing and application delivery.
  • The RCE vulnerability in Cisco Meeting Management (CVE-2026-20098) is particularly dangerous, as it allows a low-privileged authenticated user to gain complete control of the server.
  • The NGINX MitM flaw (CVE-2026-1642) undermines the trust in proxied communications, allowing an attacker to manipulate traffic and deceive clients.

Deployment Priority

Patching should be prioritized based on exposure and criticality:

  1. Internet-Facing Systems: Any affected Cisco or F5 appliances exposed to the internet should be patched immediately.
  2. Critical Infrastructure: Systems managing critical applications, such as BIG-IP load balancers and Cisco Meeting Management servers, are high-priority targets.
  3. Internal Systems: All other internal devices should be patched as part of the next scheduled maintenance window.

Remediation Steps

The primary remediation for all listed vulnerabilities is to apply the security updates provided by the respective vendors.

  1. Apply Patches: Download and install the recommended software versions from the official Cisco and F5 support portals. This is a direct application of D3-SU: Software Update.
  2. Review Configurations: For CVE-2026-22548, review BIG-IP WAF policies to assess exposure. For CVE-2026-1642, review NGINX proxy configurations to determine if they are vulnerable.
  3. Implement Compensating Controls: If patching is delayed, consider implementing stricter access control lists (ACLs) to limit management access to affected devices. Use D3-ITF: Inbound Traffic Filtering to block untrusted sources from reaching vulnerable services.

Timeline of Events

1
February 5, 2026
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The primary mitigation is to apply the vendor-supplied patches for all affected products.

Mapped D3FEND Techniques:

D3-SU

Filter Network Traffic

M1037enterprise

As a temporary measure, restrict network access to the management interfaces of vulnerable devices to trusted hosts only.

Mapped D3FEND Techniques:

D3-ITF

Audit

M1047enterprise

Audit system logs for indicators of compromise, such as unexpected process crashes or anomalous file uploads.

Sources & References

Cisco, F5 Patch High-Severity Vulnerabilities
SecurityWeek (securityweek.com) February 5, 2026
F5 and Cisco release fixes for critical product vulnerabilities
BleepingComputer (bleepingcomputer.com) February 5, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CiscoF5Patch ManagementVulnerabilityDoSRCEMitMCVE-2026-20119CVE-2026-20098CVE-2026-22548CVE-2026-1642

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.