Hackers Exploit F5 BIG-IP Appliance to Gain SSH Access and Pivot Into Enterprise Linux Networks
Hackers Exploit F5 BIG-IP Appliance to Gain SSH Access and Pivot Into Enterprise Linux Networks
https://cybersecuritynews.com/f5-big-ip-exploited-for-ssh-access/
Publish Date: 2026-05-24 05:58:00
Source Domain: cybersecuritynews.com
A multi-stage intrusion attack where a threat actor exploited an internet-facing F5 BIG-IP edge appliance as the entry point for a widespread, identity-focused attack that ultimately accessed Active Directory.
According to Microsoft’s Defender Security Research, the attack reflects a growing trend in which firewalls, VPN gateways, and load balancer devices traditionally deployed as security boundaries are being repurposed as initial access points.
Because edge appliances are externally exposed, lightly monitored, and highly trusted inside enterprise environments, a single compromise can hand attackers a durable, low-visibility foothold along with stored credentials, certificates, and identity integrations.
Initial Access Through an End-of-Life F5 BIG-IP
The threat actor established SSH access to the first Linux host from a network device identified as an F5 BIG-IP load balancer. Device inventory pinned the source to an Azure-hosted BIG-IP Virtual Edition appliance running version 15.1.201000, a build commonly deployed through Azure ARM templates and Terraform modules that reached end-of-life on December 31, 2024.
Attack Flow
The actor authenticated to the Linux server over SSH using a privileged account and maintained hands-on keyboard access throughout the operation without deploying explicit persistence mechanisms, highlighting the danger posed by over-privileged identities with sudo rights.
Once on the host, the attacker conducted aggressive reconnaissance. Using a shell script, they ran horizontal Nmap scans across internal subnets to enumerate live hosts, followed by deeper vertical scans to identify open services.
The tool gowitness was then used to capture screenshots and fingerprint exposed HTTP/HTTPS services via a SOCKS5 proxy.
Where Windows servers were discovered, the actor attempted NTLM-based lateral movement using a familiar open-source toolkit, including enum4linux, netexec, smbclient, rpcclient, timeroast,…
