A recent vulnerability has been identified within F5 BIG-IP (CVE-2022-26130) affecting several software versions, including 16.1.x versions prior to, 15.1.x versions prior to, 14.1.x versions prior to, and 13.1.x versions prior to 13.1.5. When an Active mode-enabled FTP profile is configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing active FTP data channel connections. In this post, we will dive into the details of this vulnerability, its impact, and provide code snippets to help you understand and secure your system against this vulnerability.

Exploit Details

The vulnerability, CVE-2022-26130, impacts the active FTP data channel connections on F5 BIG-IP systems that have an Active mode-enabled FTP profile configured on a virtual server. When undisclosed traffic is sent to the impacted virtual server, it can cause the server to stop processing active FTP data channel connections. This can result in potential loss of data or service disruption.

In affected F5 BIG-IP environments, the vulnerability lies in the FTP profiles that are created and configured using the Traffic Management User Interface (TMUI). FTP profiles are necessary to enable users to upload or download files using the FTP protocol.

Below is a code snippet representing a vulnerable FTP profile configuration in an F5 BIG-IP system

ltm profile ftp test_profile {
    app-service none
    defaults-from ftp
    description "Vulnerable FTP Profile"
    proxy-protocol enabled
    translate-extended true

As seen in the snippet above, the proxy-protocol enabled parameter indicates that the FTP profile is configured for Active mode.

Impact and Severity

When the vulnerability is exploited, the F5 BIG-IP environment may experience service disruptions, which can lead to an inability to continue processing active FTP data channel connections. This can prevent users from uploading or downloading files using FTP, potentially causing loss of data and impacting business continuity.

The severity of CVE-2022-26130 is currently undetermined, as this depends on the specific environment and the criticality of the Active mode-enabled FTP profiles present in the system.

Mitigation and Solutions

To mitigate CVE-2022-26130 in F5 BIG-IP systems, users are advised to upgrade to the following software versions, which contain a fix for the vulnerability:

For further information about CVE-2022-26130, you can refer to the original references

- F5 Security Advisory: K52412822: F5 BIG-IP systems FTP profile vulnerability CVE-2022-26130
- National Vulnerability Database (NVD): CVE-2022-26130


CVE-2022-26130 is a serious vulnerability affecting Active mode-enabled FTP profiles in certain F5 BIG-IP software versions. By understanding the exploit details and potential impact, you can take steps to secure your systems by upgrading to the appropriate software versions. It is crucial to stay updated on security advisories and ensure that your environment remains protected against any unforeseen exploits or vulnerabilities.


Published on: 05/05/2022 17:15:00 UTC
Last modified on: 05/16/2022 12:34:00 UTC