F5 BIG-IP ↗
F5 · Infrastructure
50/100 Attention
Summary iPlain-English security verdict for F5 BIG-IP, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.
F5 BIG-IP currently scores 50/100 — needs attention. 11 of its known vulnerabilities are being actively exploited in the wild (CISA KEV), including CVE-2021-22986. The latest supported release is 21.1.0. Patch the open issues below when you can. Note: this product is assessed at the product level on recent (365-day) activity rather than an exact per-version match, so it is never marked a confident "healthy".
Disclosure trend iNew CVEs published for F5 BIG-IP each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.
'19
'20
'21
'22
'23
'24
'25
'26
⚠ 4 of its known vulnerabilities are linked to ransomware campaigns (CISA KEV).
Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.
Most urgent first — actively exploited, then likeliest to be exploited.
CVE-2021-22986 CRITICAL ● exploited ⚠ ransomware Server-side request forgery (SSRF) EPSS 94% → fixed in 16.0.1.1 CVE-2022-1388 CRITICAL ● exploited ⚠ ransomware Missing authentication EPSS 94% → fixed in 16.1.2.2 CVE-2023-46747 CRITICAL ● exploited ⚠ ransomware CWE-288 EPSS 94% → see advisory CVE-2020-5902 CRITICAL ● exploited ⚠ ransomware Path traversal EPSS 94% → fixed in 15.1.0.4 CVE-2023-44487 HIGH ● exploited Uncontrolled resource consumption EPSS 94% → see advisory CVE-2014-6271 CRITICAL ● exploited OS command injection EPSS 94% → see advisory CVE-2014-7169 CRITICAL ● exploited OS command injection EPSS 89% → see advisory CVE-2021-22991 CRITICAL ● exploited Memory corruption EPSS 73% → fixed in 16.0.1.1 CVE-2014-0196 MEDIUM ● exploited CWE-362 EPSS 50% → see advisory CVE-2018-14634 HIGH ● exploited Integer overflow EPSS 21% → fixed in 14.1.0.6 CVE-2023-46748 HIGH ● exploited SQL injection EPSS 4% → see advisory CVE-2015-7547 HIGH Memory corruption EPSS 94% → see advisoryVersions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.
How long each F5 BIG-IP release line is supported — and when it sunsets.
21.1 latest 21.1.0 Supported until 2029-05-05
21.0 latest 21.0.0 Supported until 2026-08-06
17.5 latest 17.5.1 Supported until 2029-01-01
17.1 latest 17.1.3 Supported until 2027-03-31
17.0 latest 17.0.0 End of life ended 2023-07-31
16.1 latest 16.1.6 Supported until 2026-07-01
16.0 latest 16.0.1.1 End of life ended 2021-10-07
15.1 latest 15.1.10 End of life ended 2025-12-31
15.0 latest 15.0.1 End of life ended 2020-08-23
See all upcoming end-of-life dates → ℹ product-level posture (last 365d); exact per-version verdict pending precise version mapping