{"id":252791,"date":"2026-05-22T12:53:00","date_gmt":"2026-05-22T16:53:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/22\/from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence\/"},"modified":"2026-05-22T16:20:11","modified_gmt":"2026-05-22T20:20:11","slug":"from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/22\/from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence\/","title":{"rendered":"From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence"},"content":{"rendered":"

From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence<\/a><\/p>\n

https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/22\/from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence\/<\/a><\/p>\n

Publish Date: 2026-05-22 12:53:00<\/a><\/p>\n

Source Domain: www.microsoft.com<\/a><\/p>\n

\t\tIn this article<\/span>
\n\t\t<\/p>\n

\t<\/p>\n

A growing trend in modern intrusions is the compromise of internet-facing edge appliances such as firewalls and VPN gateways. Systems traditionally deployed as security boundaries are increasingly becoming initial access points due to the continued discovery and exploitation of critical vulnerabilities.<\/p>\n

Because these devices are externally exposed, lightly monitored, and highly trusted inside enterprise environments, compromise can provide a durable foothold with limited visibility. Edge appliances often store credentials, certificates, session material, authentication tokens, and identity integrations with directories, cloud services, and identity providers. Once compromised, these trust relationships can enable lateral movement that bypasses traditional security controls.<\/p>\n

In this incident, the threat actor compromised an internet-facing firewall appliance and used trusted relationships to pivot to an internal Linux host. From there, the threat actor compromised a vulnerable SaaS application and leveraged its credentials to conduct relay-style authentication attacks against Active Directory.<\/p>\n

This incident reflects a broader shift toward identity-centric, multi-domain attack chains that span network infrastructure, endpoints, SaaS platforms, cloud workloads, and identity systems. Organizations should treat edge devices, non-Windows systems, and cloud identities as security-critical assets, prioritize monitoring across these environments, and use attack path analysis to identify where threat actors are most likely to establish initial access.<\/p>\n

Attack chain overview<\/h2>\n

Figure 1. Multi-stage Linux intrusion via F5 and Confluence \u2013 Attack flow.<\/p>\n

\"\"Figure 2. Multi-stage Linux intrusion via F5 and Confluence \u2013 Threat actor activities.<\/p>\n

Initial access: Exploiting edge appliances<\/h3>\n

The threat actor established SSH access to the first Linux host from a network device identified as an F5 BIG-IP load balancer….<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/22\/from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence\/ Publish…<\/p>\n","protected":false},"author":1,"featured_media":252794,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/MS_Actional-Insights_Access.png","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[71,57,34],"class_list":["post-252791","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux","tag-security","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/252791"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=252791"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/252791\/revisions"}],"predecessor-version":[{"id":252795,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/252791\/revisions\/252795"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/252794"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=252791"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=252791"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=252791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}