{"id":12656,"date":"2026-04-14T09:53:57","date_gmt":"2026-04-14T09:53:57","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/04\/22\/bsi-warns-on-f5-big-ip-citrix-netscaler-and-trivy-april-2026\/"},"modified":"2026-04-22T08:22:50","modified_gmt":"2026-04-22T08:22:50","slug":"bsi-warns-on-f5-big-ip-citrix-netscaler-and-trivy-april-2026","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/04\/14\/bsi-warns-on-f5-big-ip-citrix-netscaler-and-trivy-april-2026\/","title":{"rendered":"BSI Warns on F5 BIG-IP, Citrix NetScaler, and Trivy: April 2026 Action Plan"},"content":{"rendered":"<div style=\"display:inline-block;background:#69d8ed;color:#fff;padding:4px 14px;border-radius:20px;font-size:0.85em;margin-bottom:18px;\">7 Min. Reading time<\/div>\n<p><strong>The BSI published several IT security advisories between the end of March and early April 2026 that affect three product families widely used in German critical infrastructure (Kritis) environments: F5 BIG-IP, Citrix NetScaler ADC and the open-source scanner Trivy. Together with the amended BSI Act, which has been in force since 5 December 2025, this creates concrete reporting obligations that are now being tested operationally. This article sorts the advisories by urgency, shows the patch status and maps the NIS2-relevant consequences. As of 14 April 2026.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:28px 32px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 14px 0;font-size:0.78em;font-weight:700;text-transform:uppercase;letter-spacing:0.18em;color:#69d8ed;\">Key points at a glance<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.55;\">\n<li style=\"margin-bottom:8px;\"><strong style=\"color:#69d8ed;\">F5 BIG-IP:<\/strong> Multiple vulnerabilities in BIG-IP LTM and ASM allow remote code execution in the management plane. Affected are versions prior to 17.5.2 and 16.1.6.2. Patch available, priority high.<\/li>\n<li style=\"margin-bottom:8px;\"><strong style=\"color:#69d8ed;\">Citrix NetScaler ADC:<\/strong> Authentication bypass in NetScaler Gateway, active exploitation observed. Affected are versions prior to 14.1-37.10. Patch available, immediate installation recommended.<\/li>\n<li style=\"\"><strong style=\"color:#69d8ed;\">Trivy supply-chain:<\/strong> Compromise of a build pipeline led to tampered container images. Aqua Security revoked access, but affected images may still be active in CI systems. Manual review required.<\/li>\n<\/ul>\n<\/div>\n<p style=\"font-size:0.88em;color:#666;margin:20px 0 32px 0;border-top:1px solid #e5e5e5;border-bottom:1px solid #e5e5e5;padding:10px 0;\"><span style=\"color:#004a59;font-weight:700;text-transform:uppercase;font-size:0.72em;letter-spacing:0.14em;margin-right:14px;\">Related<\/span><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/04\/13\/nis2-crisis-2026-three-reporting-channels-companies-need-in\/\" style=\"color:#333;text-decoration:underline;\">NIS2 incident: Three reporting paths in the first incident hour<\/a>&nbsp;&nbsp;<span style=\"color:#ccc;\">\/<\/span>&nbsp;&nbsp;<a href=\"https:\/\/www.securitytoday.de\/en\/2026\/04\/13\/mid-market-identity-sprawl-what-three-common-ad-plus-cloud\/\" style=\"color:#333;text-decoration:underline;\">Identity sprawl in SMEs<\/a><\/p>\n<p>For IT\u2011security teams in operators of critical infrastructure, the past four weeks have delivered a clear message: patch management is no longer a weekly topic but a daily tool. The combination of BSI advisories, NIS2 reporting obligations and a persistently active threat landscape in the financial and energy sectors forces greater automation of the response chain.<\/p>\n<p>The official advisories are published by the BSI on the Cert\u2011Bund portal and on the English\u2011language service site. The following overview summarizes what is operationally relevant for most DACH companies.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">F5 BIG-IP: Management\u2011plane vulnerability as top priority<\/h2>\n<p>The F5 advisory covers several vulnerabilities that, when combined, can lead to a full compromise of the BIG\u2011IP management plane. Attackers with network access to the TMUI (Traffic Management User Interface) can, according to the official F5 warning, execute code with root privileges without authentication. For Kritis operators that use BIG\u2011IP as a central load balancer between the Internet and core applications, this is a critical incident.<\/p>\n<p>F5 has released patches for versions 17.5.2, 16.1.6.2 and 15.1.10.8. The recommendation is immediate deployment. For environments where a direct patch cannot be applied within 48 hours, the F5 warning suggests as mitigation blocking the TMUI for external IP ranges and restricting SSH access to management VLANs.<\/p>\n<p>Anyone running F5 in a Kritis environment should also check whether firewall logs from the past 30 days show signs of unauthorized TMUI access. If there are indications of active exploitation, the reporting obligation to the BSI is triggered. The practical implementation of the report is carried out via the regular NIS2 reporting path, which has been operationally tested since early 2026.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">Citrix NetScaler ADC: Active Exploitation Documented<\/h2>\n<p>The Citrix vulnerability demands immediate attention. Unlike the F5 advisory, active exploitation of NetScaler environments has been observed in the wild. In its warning, the BSI (Federal Office for Information Security) references reports from incident response teams documenting authentication bypasses on NetScaler Gateway instances targeting German organisations. Attack path analysis reveals that once the bypass is achieved, threat actors harvest session tokens and move laterally into connected SaaS environments.<\/p>\n<p>On 27 March 2026, Citrix released an out-of-band patch to address the vulnerability. Affected versions include NetScaler ADC and NetScaler Gateway releases prior to 14.1-37.10 and 13.1-67.11. The recommendation is clear: apply the patch within 24 hours of becoming aware of the issue. For environments with maintenance windows scheduled later, Citrix advises disabling the affected authentication features as a temporary mitigation until the patch can be deployed.<\/p>\n<p>For operators of critical infrastructure, active exploitation triggers the NIS2 early-warning reporting obligation as soon as there are indications of a potential compromise\u2014even if the investigation is still ongoing. The standard for initial reporting is &#8220;confirmed incident with potential impact,&#8221; not &#8220;confirmed exploitation.&#8221;<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">Trivy Supply Chain Attack: A New Attack Pattern<\/h2>\n<p>The third case presents a fundamentally different challenge. Aqua Security, the company behind the open-source scanner Trivy, reported in early April that a build pipeline had been compromised. Over a six-day window, attackers were able to inject tampered Trivy images into official container registries. While the malicious images have since been removed, CI systems that pulled and cached Trivy images during this period may still harbour compromised artefacts.<\/p>\n<p>For IT teams, this calls for a two-pronged response. First: audit all local caches of container registries and CI runners, cross-referencing affected image digests against the indicators published by Aqua Security. Second: review CI pipelines that automatically scan containers with Trivy to determine whether results may have been manipulated during the compromise window. This is no small task, as compromised scanners could potentially return false negatives.<\/p>\n<p>This incident underscores the broader risks of supply chain attacks, serving as a case study for the upcoming Cyber Resilience Act (CRA) landscape. While <a href=\"https:\/\/www.securitytoday.de\/en\/2026\/04\/09\/cyber-resilience-act-from-september-11-2026-the-24-hour-reporting-obligation-that-it-security-teams-must-now-establish-processes-for\/\">CRA reporting obligations won\u2019t take effect until September 2026<\/a>, the preparatory duties for Product Security Incident Response Teams (PSIRTs) are already in force.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">NIS2 Reporting in Practice<\/h2>\n<p>These three advisories have put the NIS2 reporting framework to the test. Operators of critical infrastructure have learned over the past four weeks that the 24-hour deadline for initial reporting is tight when multiple products are affected simultaneously. While the BSI platform accepts structured reports, internal decision-making processes\u2014who reports, with what assessment, and at what severity level\u2014must be well-rehearsed.<\/p>\n<p>For security teams testing their reporting workflows under pressure for the first time this quarter, three common pitfalls have emerged. Collaboration between SOC, legal, and communications teams often lacks automation: decisions on reporting require a pre-defined RACI matrix, not ad-hoc approvals. The distinction between an &#8220;incident&#8221; and a &#8220;reportable event&#8221; isn\u2019t always clear\u2014decision trees with concrete examples can help. And the technical documentation required for incident notifications (within 72 hours) demands structured logs, which many environments still fail to capture effectively.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">What Security Teams Should Do This Week \u2013 Concrete Steps<\/h2>\n<p>For most German security teams, this week brings five clear-cut tasks. First up: inventory. Identify F5 BIG-IP, Citrix NetScaler ADC, and Trivy in your stack, check versions, and document patch status. This is the foundation for everything that follows.<\/p>\n<p>Next comes prioritisation. If you\u2019re running affected systems in your perimeter, rank them by exposure: publicly accessible management interfaces first, then internally exposed systems, and finally isolated ones. The Citrix advisory\u2014with active exploitation\u2014stands out as the top priority.<\/p>\n<p>Third on the list: detection verification. SOC teams need to confirm whether existing EDR and network monitoring rules catch the known attack patterns. For the NetScaler advisory, multiple vendors have released updated signatures in recent days\u2014Sigma rules and Suricata rules are available on GitHub.<\/p>\n<p>Fourth: run a reporting drill. Even without an active incident, it\u2019s worth testing NIS2 early warnings in a dry run. Which email? What content? How severe is the classification? Those 24 hours feel a lot tighter under pressure than they look on paper.<\/p>\n<p>Finally, documentation. Record all decisions, patch timelines, and mitigation steps in a structured way. This will help with future audits, insurance claims, and\u2014if the worst happens\u2014post-incident reviews with the BSI.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">The Strategic Implications<\/h2>\n<p>Three BSI advisories in three weeks isn\u2019t a statistical fluke. The frequency of critical warnings has been rising since Q4 2025. For security teams, this means one thing: response infrastructure must become more resilient. Manual patch cycles no longer cut it. Automated patch pipelines with clearly defined approval mechanisms are becoming the norm.<\/p>\n<p>At the same time, the pressure on reporting channels is growing. Setting up a robust reporting process now will save hours when a real incident hits\u2014hours that could otherwise mean missed deadlines. Especially <a href=\"https:\/\/www.securitytoday.de\/en\/2026\/04\/13\/mid-market-identity-sprawl-what-three-common-ad-plus-cloud\/\">identity-based attack paths in hybrid AD-cloud setups<\/a> demand tightly coordinated responses between SOC, IAM, and cloud security teams.<\/p>\n<p>The quarterly reality check for IT security teams is sobering: more advisories, shorter response windows, stricter reporting obligations. Those who accept this as the new normal\u2014and industrialise their processes accordingly\u2014will work more smoothly in 2026 than they did in 2025.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">Additional technical steps for F5 and Citrix<\/h2>\n<p>Beyond simply applying patches, it\u2019s worth reviewing the configuration of both products. For F5 BIG-IP, it\u2019s advisable to ensure the TMUI is never exposed to the internet\u2014even when there\u2019s no active incident. Management interfaces should reside in dedicated admin VLANs with VPN or bastion host access, not on public IPs. If your setup differs, use this advisory as a prompt to reassess your network segmentation.<\/p>\n<p>For Citrix NetScaler ADC, patches alone don\u2019t complete the defense. A quick review of session logs from the past four weeks is recommended: unusual geographic patterns, unexpected user agents, or authentications outside business hours could indicate a compromise. If you spot anomalies, proactively rotate session tokens and place the gateway in maintenance mode for forensic analysis.<\/p>\n<p>Trivy users might consider automating verification of downloaded scanner versions in their CI pipeline. Pinning to a known clean digest with signature verification can help detect future supply-chain compromises sooner. Tools like Sigstore or Cosign provide the necessary mechanisms.<\/p>\n<p>One often-overlooked aspect: all three advisories have implicit implications for business continuity plans. F5 and Citrix often sit at critical junctures in network traffic. A rushed patch causing unexpected downtime could be more damaging than leaving the system unpatched. This underscores the need for a well-tested rollback procedure\u2014ideally with a secondary load-balancer pair to handle traffic during patching. If you lack such redundancy, schedule patches during a maintenance window with announced downtime.<\/p>\n<p>Communication is another key factor. Customers, partners, and internal stakeholders expect clear updates if exploitation is documented. A pre-prepared communication chain with scenario-based templates can save hours in a crisis. When incidents become public, response speed becomes a reputation issue\u2014one that can\u2019t be improvised but requires preparation during calmer periods.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">Frequently Asked Questions<\/h2>\n<h3>Where can I find the original BSI advisories on F5, Citrix, and Trivy?<\/h3>\n<p>The primary source is the BSI\u2019s CERT-Bund portal at cert-bund.de. All advisories are published there with CVE numbers, affected products, CVSS severity ratings, and recommended actions. The vendor advisories from F5, Citrix, and Aqua Security are also available on their respective vendor portals.<\/p>\n<h3>Does the NIS2 reporting obligation apply if I\u2019m not a critical infrastructure operator?<\/h3>\n<p>NIS2 significantly expands the scope of obligated companies. Since the amendment of the BSI Act on 5 December 2025, many non-traditional critical infrastructure companies in sectors like ICT, postal services, food, research, and digital services now fall under the reporting obligation. The exact classification is outlined in the annex to the BSI Act and should be clarified with your legal department.<\/p>\n<h3>How does Early Warning differ from Incident Notification?<\/h3>\n<p>The Early Warning, due within 24 hours, is a structured early alert with minimal details. The Incident Notification, due within 72 hours, provides an initial assessment of the incident, including the attack vector, severity, and first findings. The final report must be submitted within one month.<\/p>\n<h3>What does the Trivy compromise mean for existing container scans?<\/h3>\n<p>All scans conducted during the compromise window should be considered unreliable. For security-critical deployments, rescanning with a verified Trivy version is mandatory. The Aqua Security advisory specifies exact image digests for verification.<\/p>\n<h3>What are the current reporting deadlines under the amended BSI Act?<\/h3>\n<p>Early Warning: 24 hours, Incident Notification: 72 hours, final report: 1 month. The deadlines begin when the incident is acknowledged, not when it is discovered. Any delay between detection and classification as reportable must be documented, though it may be justifiable under certain circumstances.<\/p>\n<div style=\"margin:40px 0;padding:0;border-top:2px solid #004a59;\">\n<p style=\"margin:0;padding:16px 0 8px 0;font-size:0.78em;font-weight:700;text-transform:uppercase;letter-spacing:0.18em;color:#004a59;\">Editor\u2019s Picks<\/p>\n<ul style=\"list-style:none;margin:0;padding:0;\">\n<li style=\"padding:10px 0;border-bottom:1px solid #eee;\"><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/04\/13\/nis2-crisis-2026-three-reporting-channels-companies-need-in\/\" style=\"color:#1a1a1a;text-decoration:none;\">NIS2 in Crisis Mode: Three Reporting Channels in the First Hour<\/a><\/li>\n<li style=\"padding:10px 0;border-bottom:1px solid #eee;\"><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/04\/13\/ransomware-post-mortem-what-manufacturers-really-learned\/\" style=\"color:#1a1a1a;text-decoration:none;\">Ransomware Post-Mortem: Lessons Learned by Manufacturing Companies<\/a><\/li>\n<li style=\"padding:10px 0;\"><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/04\/08\/claude-mythos-situation-assessment-security-teams\/\" style=\"color:#1a1a1a;text-decoration:none;\">The Claude Myth: Situational Assessment for Security Teams<\/a><\/li>\n<\/ul>\n<\/div>\n<div style=\"margin:40px 0 24px 0;\">\n<p style=\"margin:0 0 12px 0;font-size:0.78em;font-weight:700;text-transform:uppercase;letter-spacing:0.18em;color:#666;\">More from the MBF Media Network<\/p>\n<div style=\"padding:14px 18px;border-left:3px solid #0bb7fd;background:#fafafa;margin-bottom:6px;\">\n<div style=\"font-size:0.7em;font-weight:700;color:#0bb7fd;text-transform:uppercase;letter-spacing:0.12em;margin-bottom:4px;\">cloudmagazin<\/div>\n<p><a href=\"https:\/\/www.cloudmagazin.com\/2026\/04\/14\/aws-und-google-cloud-starten-gemeinsame-multicloud-preview-was-das-fuer-dach-it-teams-bedeutet\/\" style=\"font-weight:600;line-height:1.4;color:#1a1a1a;text-decoration:none;\">AWS and Google Cloud Launch Joint Multicloud Preview<\/a>\n<\/div>\n<div style=\"padding:14px 18px;border-left:3px solid #202528;background:#fafafa;margin-bottom:6px;\">\n<div style=\"font-size:0.7em;font-weight:700;color:#202528;text-transform:uppercase;letter-spacing:0.12em;margin-bottom:4px;\">mybusinessfuture<\/div>\n<p><a href=\"https:\/\/mybusinessfuture.com\/eu-ai-act-greift-seit-6-april-2026-was-mittelstands-tech-teams-jetzt-bis-august-klaeren-muessen\/\" style=\"font-weight:600;line-height:1.4;color:#1a1a1a;text-decoration:none;\">EU AI Act in Force Since 6 April 2026<\/a>\n<\/div>\n<div style=\"padding:14px 18px;border-left:3px solid #d65663;background:#fafafa;\">\n<div style=\"font-size:0.7em;font-weight:700;color:#d65663;text-transform:uppercase;letter-spacing:0.12em;margin-bottom:4px;\">digital-chiefs<\/div>\n<p><a href=\"https:\/\/www.digital-chiefs.de\/chief-ai-officer-2026-rolle-mandat-governance\/\" style=\"font-weight:600;line-height:1.4;color:#1a1a1a;text-decoration:none;\">Chief AI Officer 2026: Role, Mandate, Governance<\/a>\n<\/div>\n<\/div>\n<p style=\"text-align: right;\"><em>Source: Pexels \/ Panumas Nikhomkhai<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"BSI published advisories on F5 BIG-IP, Citrix NetScaler, and Trivy in March\/April 2026. What operators of critical infrastructure must patch and report this week.","protected":false},"author":50,"featured_media":12358,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"","_yoast_wpseo_title":"","_yoast_wpseo_metadesc":"F5 BIG-IP, Citrix NetScaler & Trivy \u2013 3 BSI advisories in March\/April 2026. Act now: patches & NIS2 reporting requirements.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":"","_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":"","footnotes":""},"categories":[3,251],"tags":[],"class_list":["post-12656","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aktuelles","category-news"],"wpml_language":"en","wpml_translation_of":12359,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/12656","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=12656"}],"version-history":[{"count":0,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/12656\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/12358"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=12656"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=12656"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=12656"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}