Published on May 23, 2026
Hackers Exploit F5 BIG-IP to Gain SSH Access and Pivot Into Linux Networks
Severity
High
Threat actors are actively targeting unsupported F5 BIG-IP appliances to establish unauthorized SSH access into enterprise environments, using compromised edge infrastructure as an entry point for multi-stage intrusion campaigns. Microsoft Threat Intelligence disclosed an incident demonstrating how attackers leveraged a single vulnerable F5 BIG-IP device to compromise Linux systems, access internal applications, and ultimately move toward Active Directory infrastructure.
The intrusion originated from an Azure-hosted F5 BIG-IP Virtual Edition (VE) appliance operating version 15.1.201000, which reached end-of-life status on December 31, 2024. Because the system no longer received security updates or vendor support, attackers successfully exploited weaknesses to obtain initial access.
The incident occurs amid increasing concerns surrounding F5 infrastructure security. In 2025, threat actors reportedly breached F5 internal systems and exfiltrated BIG-IP source code alongside information regarding undisclosed vulnerabilities. The activity has been linked to BRICKSTORM malware operations targeting software vendors and cloud providers for downstream supply chain attacks.
Additional exposure stems from CVE-2025-53521 affecting F5 BIG-IP Access Policy Manager (APM). Initially disclosed as a denial-of-service vulnerability, it was later reclassified as a Remote Code Execution (RCE) flaw with a CVSS severity score of 9.8. Security organizations confirmed active exploitation activity, with internet telemetry identifying more than 17,000 exposed vulnerable systems globally.
How?
The attack chain began after threat actors gained SSH access through the compromised F5 BIG-IP appliance using privileged credentials configured with unrestricted sudo permissions. Rather than immediately deploying persistence mechanisms, attackers maintained interactive access to perform reconnaissance and internal discovery.
Attackers conducted aggressive internal enumeration using multiple tools:
- Nmap for network scanning and subnet discovery
- GoWitness for HTTP and HTTPS screenshot collection
- testssl for SSL/TLS weakness identification
- HackTool:Linux/MalPack.B for web application access control discovery
- Kerbrute, enum4linux, responder, smbclient, and netexec for Windows authentication and NTLM-related lateral movement attempts
During reconnaissance activities, attackers identified an internally hosted Atlassian Confluence server containing unpatched Remote Code Execution vulnerabilities. Although not internet-facing, the system became reachable after internal access was established.
When endpoint protection blocked direct payload delivery, attackers adapted by deploying a Python FTP server on the compromised Linux system to stage payloads internally using anonymous FTP transfers.
Following Confluence compromise, attackers extracted credentials from configuration files including:
- /opt/atlassian/confluence/conf/server.xml
- confluence.cfg.xml
Recovered credentials enabled additional attacks targeting Windows infrastructure.
Threat actors subsequently leveraged CVE-2025-33073, a Windows SMB NTLM reflection vulnerability that enables authenticated Remote Code Execution as SYSTEM on domain-joined systems lacking SMB signing enforcement. Successful exploitation allowed attackers to escalate privileges and pivot further toward Active Directory compromise.
Recommendation
Organizations should immediately retire unsupported F5 BIG-IP appliances and treat internet-facing edge infrastructure as Tier-0 assets requiring strict lifecycle governance. Internal applications such as Atlassian Confluence should receive security updates with the same urgency as internet-exposed systems to reduce internal attack surface exposure.
Security teams should strengthen authentication controls by disabling NTLM where feasible, enforcing SMB signing, enabling LDAP signing, and implementing channel binding protections. Endpoint detection and response capabilities should be deployed consistently across Linux and Windows environments to improve visibility into suspicious activity involving SSH access, internal scanning tools, and credential theft attempts.
Organizations should also implement tiered administrative models and least-privilege controls to prevent compromised application credentials from enabling domain-wide compromise.
Threat hunting activities should prioritize detection of:
- Unexpected SSH access on edge infrastructure
- Internal network scanning behavior
- Anonymous FTP server deployment
- Credential extraction attempts
- NTLM relay activity
- Kerberos abuse indicators
- SMB authentication anomalies
Conclusion
This incident demonstrates how a single unsupported edge appliance can create a compromise path into enterprise infrastructure. Threat actors combined network reconnaissance, internal application exploitation, credential theft, and Windows authentication abuse to progress from initial access toward domain-level compromise.
The intrusion highlights the importance of maintaining asset lifecycle management, applying timely security patches, enforcing strong authentication protections, and implementing segmentation controls. Organizations operating hybrid and cloud-connected environments should assume perimeter compromise scenarios and adopt layered defensive strategies to reduce the likelihood of enterprise-wide intrusion.
Source