From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence
From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence
Publish Date: 2026-05-22 12:53:00
Source Domain: www.microsoft.com
In this article
A growing trend in modern intrusions is the compromise of internet-facing edge appliances such as firewalls and VPN gateways. Systems traditionally deployed as security boundaries are increasingly becoming initial access points due to the continued discovery and exploitation of critical vulnerabilities.
Because these devices are externally exposed, lightly monitored, and highly trusted inside enterprise environments, compromise can provide a durable foothold with limited visibility. Edge appliances often store credentials, certificates, session material, authentication tokens, and identity integrations with directories, cloud services, and identity providers. Once compromised, these trust relationships can enable lateral movement that bypasses traditional security controls.
In this incident, the threat actor compromised an internet-facing firewall appliance and used trusted relationships to pivot to an internal Linux host. From there, the threat actor compromised a vulnerable SaaS application and leveraged its credentials to conduct relay-style authentication attacks against Active Directory.
This incident reflects a broader shift toward identity-centric, multi-domain attack chains that span network infrastructure, endpoints, SaaS platforms, cloud workloads, and identity systems. Organizations should treat edge devices, non-Windows systems, and cloud identities as security-critical assets, prioritize monitoring across these environments, and use attack path analysis to identify where threat actors are most likely to establish initial access.
Attack chain overview
Figure 1. Multi-stage Linux intrusion via F5 and Confluence – Attack flow.
Figure 2. Multi-stage Linux intrusion via F5 and Confluence – Threat actor activities.
Initial access: Exploiting edge appliances
The threat actor established SSH access to the first Linux host from a network device identified as an F5 BIG-IP load balancer….
