Threat actors are turning trusted network edge devices against the very enterprises they were built to protect and F5 BIG-IP appliances are now at the center of one of the most alarming multi-stage intrusion campaigns documented in 2026.

Security researchers at Microsoft's Defender Security Research Team have published detailed findings of a sophisticated attack chain in which an exposed, end-of-life F5 BIG-IP load balancer was weaponized as the launchpad for SSH-based lateral movement across enterprise Linux systems ultimately targeting Active Directory and identity infrastructure.

## How the Attack Begins: The Edge Appliance as a Trojan Horse

For years, enterprise security teams have treated load balancers, VPN gateways, and firewall appliances as the defenders of the network perimeter. The latest F5 BIG-IP attack campaign flips that assumption entirely.

According to Microsoft's investigation, the threat actor established SSH access to an internal Linux host directly from an F5 BIG-IP load balancer specifically an Azure-hosted BIG-IP Virtual Edition (VE) running version 15.1.201000. This version, commonly deployed through Azure ARM templates and Terraform modules, reached end-of-life (EOL) on December 31, 2024, meaning it no longer receives security patches or vendor support.

This is the critical first domino. Because edge appliances sit at the boundary between the public internet and internal corporate networks, they are externally reachable, yet deeply trusted by internal systems. Once an attacker gains control of a BIG-IP device, they inherit that trust along with stored credentials, TLS certificates, and network routing privileges that allow nearly silent lateral movement.

## Inside the Attack Chain: From SSH to Active Directory

The intrusion documented by Microsoft Defender researchers unfolded in carefully staged steps, each building on the access gained in the previous phase.

Stage 1 : Initial SSH Foothold The attacker used the compromised F5 BIG-IP appliance to initiate SSH sessions into Linux hosts inside the enterprise environment. Because the connection originated from a trusted network device, it generated minimal suspicion in standard monitoring setups.

Stage 2 : Reconnaissance and SSL/TLS Probing Once inside, the attacker deployed testssl, a command-line tool used to audit SSL and TLS configurations. This indicated an active search for protocol downgrades and misconfigurations that could be exploited for further credential interception.

Stage 3 : Exploitation of CVE-2025-33073 The threat actor then pivoted to an internal Confluence server and executed a Python exploit script against CVE-2025-33073, a vulnerability enabling credential theft from internal web applications. The attack leveraged PetitPotam coercion and DNS manipulation tooling to force authentication relay toward a domain controller.

Stage 4 : Kerberos Relay Attacks Using netexec with PetitPotam coercion, the attacker attempted Kerberos relay attacks a well-known technique for capturing and replaying Kerberos authentication tickets to impersonate privileged accounts. This phase of the attack crossed both platform and trust boundaries, moving from a Linux-based environment into Windows identity infrastructure.

Stage 5 : Active Directory Targeting The final objective of the intrusion was the domain controller the crown jewel of enterprise identity infrastructure. A successful compromise at this stage would have given the attacker full control over user accounts, group policies, and authentication for the entire organization.

## Why End-of-Life Appliances Are an Existential Risk

The F5 BIG-IP Virtual Edition version exploited in this campaign had been running beyond its vendor support date. This detail is not a footnote it is the root cause.

End-of-life network appliances do not receive patches. Known vulnerabilities accumulate unchecked. Threat actors actively scan for and catalog these versions, building exploit toolkits tailored to their weaknesses. Once a device reaches EOL and remains internet-facing, it becomes a persistent, low-risk entry point that attackers can return to repeatedly.

This campaign reflects a broader and accelerating trend. As Microsoft's researchers noted, firewalls, VPN concentrators, and load balancers devices once considered security controls are now being actively repurposed as initial access vectors. The combination of external exposure, internal trust, and minimal monitoring makes them ideal targets.

## The Broader F5 BIG-IP Threat Landscape in 2026

This SSH intrusion campaign does not exist in isolation. The F5 BIG-IP platform has faced a cascade of serious security events over the past year.

In March 2026, security researchers and CISA flagged CVE-2025-53521, a critical remote code execution vulnerability affecting BIG-IP APM systems. Originally classified as a denial-of-service flaw, new information revealed it could be exploited by unauthenticated attackers to execute arbitrary code on vulnerable systems. Shadowserver tracked over 240,000 BIG-IP instances exposed on the public internet at the time. CISA added it to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by March 30, 2026.

Earlier, in October 2025, F5 disclosed that a nation-state affiliated threat actor had breached its internal development environment, stealing BIG-IP source code and information about undisclosed vulnerabilities. CISA issued Emergency Directive 26-01 in response, warning of an imminent threat to federal and corporate networks. The stolen source code raised the specter of adversary-developed zero-days tailored specifically to BIG-IP infrastructure which now underpins the networks of 48 of the world's top 50 corporations.

The SSH intrusion campaign documented by Microsoft represents the operational side of this threat: adversaries are not merely holding stolen knowledge they are actively exploiting BIG-IP appliances in the field.

## Detection: How Microsoft Defender Caught It

Microsoft Defender for Endpoint detected the malicious ELF (Linux) payload deployed during the intrusion, successfully blocking it on the Confluence host where real-time protection was active. The incident highlighted both the effectiveness of endpoint-level detection and the gaps that arise when protection is not uniformly deployed across all Linux workloads.

The fact that real-time protection was enabled on only one of the affected hosts is itself a warning. In hybrid environments where Linux servers often run with lighter security tooling than their Windows counterparts, attackers can move between systems and only occasionally encounter a defensive control.

## Recommendations: Defending Against Edge Appliance Intrusions

The F5 BIG-IP SSH intrusion campaign offers clear lessons for enterprise security teams. Immediate and structural action is required across several areas.

1. Inventory and Retire End-of-Life Devices Any internet-facing F5 BIG-IP device running a version that reached EOL must be treated as actively compromised or imminently compromisable. Identify, isolate, and replace or upgrade these appliances. Version 15.1.201000 specifically should be flagged as a critical priority.

2. Treat Edge Appliances as Tier-0 Assets Network edge devices load balancers, VPN gateways, firewalls — should be governed with the same rigor as domain controllers. Apply strict patch management lifecycles, monitor outbound SSH connections from these devices, and restrict management interfaces from public internet access.

3. Apply Patches for CVE-2025-53521 and CVE-2025-33073 Both vulnerabilities are actively exploited. Patch immediately if you have not already done so. Review F5's published indicators of compromise (IOCs) and audit disk contents, logs, and terminal history on BIG-IP systems for signs of malicious activity.

4. Disable NTLM and Enforce SMB/LDAP Signing To prevent Kerberos relay attacks and NTLM relay attacks from succeeding, disable NTLM where possible, enforce SMB signing, enforce LDAP signing and channel binding, and enable Extended Protection for Authentication (EPA).

5. Deploy Endpoint Detection on Linux Workloads The attacker in this campaign was blocked only where real-time endpoint protection existed. Ensure consistent EDR coverage across all Linux servers — particularly those running internal web applications like Confluence, Jira, or Jenkins, which are high-value targets for credential theft.

6. Monitor Cross-System Authentication Events Kerberos relay attacks produce distinctive authentication patterns. Implement monitoring for anomalous Kerberos ticket requests, coerced authentication from unexpected sources, and unusual DNS manipulation activity.

## The Bigger Picture: Perimeter Devices Are the New Frontline

The F5 BIG-IP SSH intrusion campaign is a case study in what Microsoft researchers described as the core challenge of modern enterprise security: a single remote code execution vulnerability in a perimeter-adjacent device can cascade into full identity compromise across an organization, crossing platform and trust boundaries at every step.

Attackers targeting this vector do not need to be highly sophisticated. They need only be persistent, and they need to find organizations where patching discipline and monitoring gaps exist across hybrid infrastructure. The sobering reality, confirmed by Shadowserver's tracking of over 240,000 exposed BIG-IP instances, is that those gaps remain widespread.

For enterprise security teams, the response cannot be reactive. Every internet-facing appliance must be inventoried, patched, monitored, and retired on schedule with the same urgency applied to internal crown jewels.

## Final Thoughts

The exploitation of F5 BIG-IP appliances for SSH-based intrusion into enterprise Linux systems is not a theoretical future risk. It is happening now, as documented by Microsoft's Defender Security Research Team in a detailed disclosure published May 22, 2026. The attack chain from an EOL load balancer to Confluence exploitation, Kerberos relay, and Active Directory targeting demonstrates precisely why edge appliance lifecycle management must be elevated to a board-level security priority.

For the latest threat intelligence and security advisories, subscribe to the ReconShield newsletter and follow us on LinkedIn and X.

Read More:

AI-Powered Cyber Threats Are Escalating Faster Than Enterprise Defenses Can Adapt

Urgent Chrome Update Released After Critical Remote Code Execution Vulnerabilities Discovered

Hackers Exploit Vulnerable Lenovo Driver to Disable EDR Security Protections

QR Code Phishing Explodes in 2026 as Microsoft Detects 8.3 Billion Email Threats

Public Exploit Code Emerges for Chromium Flaw Potentially Affecting Millions Worldwide