{"id":253931,"date":"2026-05-24T05:58:00","date_gmt":"2026-05-24T09:58:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/24\/hackers-exploit-f5-big-ip-appliance-to-gain-ssh-access-and-pivot-into-enterprise-linux-networks\/"},"modified":"2026-05-24T06:00:12","modified_gmt":"2026-05-24T10:00:12","slug":"hackers-exploit-f5-big-ip-appliance-to-gain-ssh-access-and-pivot-into-enterprise-linux-networks","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/24\/hackers-exploit-f5-big-ip-appliance-to-gain-ssh-access-and-pivot-into-enterprise-linux-networks\/","title":{"rendered":"Hackers Exploit F5 BIG-IP Appliance to Gain SSH Access and Pivot Into Enterprise Linux Networks"},"content":{"rendered":"<p><a href=\"https:\/\/cybersecuritynews.com\/f5-big-ip-exploited-for-ssh-access\/\">Hackers Exploit F5 BIG-IP Appliance to Gain SSH Access and Pivot Into Enterprise Linux Networks<\/a><\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/f5-big-ip-exploited-for-ssh-access\/\">https:\/\/cybersecuritynews.com\/f5-big-ip-exploited-for-ssh-access\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-24 05:58:00<\/a><\/p>\n<p>Source Domain: <a href=\"cybersecuritynews.com\">cybersecuritynews.com<\/a><\/p>\n<p class=\"wp-block-paragraph\">A multi-stage intrusion attack where a threat actor exploited an internet-facing F5 BIG-IP edge appliance as the entry point for a widespread, identity-focused attack that ultimately accessed Active Directory.<\/p>\n<p class=\"wp-block-paragraph\">According to Microsoft\u2019s Defender Security Research, the attack reflects a growing trend in which firewalls, VPN gateways, and load balancer devices traditionally deployed as security boundaries are being repurposed as initial access points.<\/p>\n<p class=\"wp-block-paragraph\">Because edge appliances are externally exposed, lightly monitored, and highly trusted inside enterprise environments, a single compromise can hand attackers a durable, low-visibility foothold along with stored credentials, certificates, and identity integrations.<\/p>\n<h2 id=\"h-initial-access-through-an-end-of-life-f5-big-ip\" class=\"wp-block-heading\"><strong>Initial Access Through an End-of-Life F5 BIG-IP<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The threat actor established SSH access to the first Linux host from a network device identified as an F5 BIG-IP load balancer. Device inventory pinned the source to an Azure-hosted BIG-IP Virtual Edition appliance running version 15.1.201000, a build commonly deployed through Azure ARM templates and Terraform modules that reached end-of-life on December 31, 2024.<\/p>\n<p>Attack Flow<\/p>\n<p class=\"wp-block-paragraph\">The actor authenticated to the Linux server over SSH using a privileged account and maintained hands-on keyboard access throughout the operation without deploying explicit persistence mechanisms, highlighting the danger posed by over-privileged identities with sudo rights.<\/p>\n<p class=\"wp-block-paragraph\">Once on the host, the attacker conducted aggressive reconnaissance. Using a shell script, they ran horizontal Nmap scans across internal subnets to enumerate live hosts, followed by deeper vertical scans to identify open services.<\/p>\n<p class=\"wp-block-paragraph\">The tool gowitness was then used to capture screenshots and fingerprint exposed HTTP\/HTTPS services via a SOCKS5 proxy.<\/p>\n<p class=\"wp-block-paragraph\">Where Windows servers were discovered, the actor attempted NTLM-based lateral movement using a familiar open-source toolkit, including enum4linux, netexec, smbclient, rpcclient, timeroast,&#8230;<\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/f5-big-ip-exploited-for-ssh-access\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Exploit F5 BIG-IP Appliance to Gain SSH Access and Pivot Into Enterprise Linux Networks&#8230;<\/p>\n","protected":false},"author":1,"featured_media":253932,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"http:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/05\/F5-BIG-IP-Exploited-for-SSH-Access.webp","fifu_image_alt":"","footnotes":""},"categories":[48],"tags":[31,71,57,34],"class_list":["post-253931","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-exploit","tag-linux","tag-security","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253931"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=253931"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253931\/revisions"}],"predecessor-version":[{"id":253933,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/253931\/revisions\/253933"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/253932"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=253931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=253931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=253931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}