F5 BIG IP Exploited for SSH Access and Enterprise Network Compromise

Meta Description

Attackers exploiting F5 BIG IP appliances for SSH access are gaining footholds into enterprise networks, enabling lateral movement and Active Directory compromise.

Introduction

The F5 BIG IP exploited for SSH access campaign is rapidly becoming one of the most dangerous edge infrastructure threats affecting enterprise networks in 2026. Security researchers recently uncovered a sophisticated multi stage intrusion operation where attackers abused internet facing F5 BIG IP appliances to gain SSH access into internal Linux systems before pivoting deeper into enterprise infrastructure.

The attack matters because F5 BIG IP appliances sit at critical points inside enterprise environments. Organizations use them for:

• Load balancing
• VPN access
• Identity management
• Application delivery
• Reverse proxy services
• Access Policy Manager deployments
• Hybrid cloud connectivity
• Secure remote access

When attackers compromise these edge systems, they gain access to highly trusted infrastructure components already positioned between the internet and internal enterprise networks.

Researchers observed attackers using compromised F5 BIG IP appliances to:

• Establish SSH access
• Pivot into Linux environments
• Conduct internal reconnaissance
• Access Active Directory environments
• Perform credential attacks
• Abuse NTLM authentication
• Target Confluence systems
• Expand lateral movement operations

The most alarming part is that the attackers leveraged end of life F5 BIG IP Virtual Edition appliances running unsupported versions inside Azure environments.

As an independent cybersecurity blogger and part time penetration tester, this attack stands out because it reflects a growing industry trend.

Attackers increasingly target edge infrastructure instead of traditional endpoints.

Once they compromise edge devices like F5 BIG IP systems, they often gain low visibility access into the heart of enterprise networks.

What Happened

How F5 BIG IP Was Exploited for SSH Access

Microsoft Defender Security Research documented a multi stage intrusion campaign where attackers compromised an internet facing F5 BIG IP Virtual Edition appliance hosted in Azure.

The compromised device reportedly ran:

• BIG IP version 15.1.201000
• Azure hosted Virtual Edition deployment
• Unsupported end of life software

The vulnerable version reached end of life on December 31 2024, leaving it unsupported and unpatched at the time of exploitation.

Researchers observed the attackers establishing SSH access to internal Linux systems originating from the compromised F5 BIG IP appliance.

Once inside the network, the attackers conducted:

• Internal network scanning
• Credential attacks
• HTTP and HTTPS enumeration
• NTLM relay attempts
• Confluence targeting
• Active Directory reconnaissance

The attackers reportedly used tools including:

• Kerbrute
• gowitness
• Nmap scanning scripts
• NTLM relay scripts
• Custom reconnaissance tooling

Researchers also identified command and control infrastructure linked to the campaign.

The F5 BIG IP exploited for SSH access campaign demonstrates how attackers increasingly use edge devices as stealthy initial access vectors.

These appliances are attractive targets because they are:

• Internet exposed
• Highly trusted internally
• Often lightly monitored
• Rich in credentials and certificates
• Positioned near identity infrastructure

Technical Analysis

How Attackers Exploited F5 BIG IP for SSH Access

The F5 BIG IP exploited for SSH access campaign involved multiple attack stages targeting hybrid enterprise environments.

Initial Edge Appliance Compromise

The attackers first compromised an Azure hosted F5 BIG IP Virtual Edition appliance.

Researchers did not publicly disclose the exact initial exploit path used during this intrusion. However, multiple actively exploited F5 BIG IP vulnerabilities have recently affected Access Policy Manager deployments.

One major concern involves CVE 2025 53521, a critical F5 BIG IP APM vulnerability reclassified from denial of service into remote code execution after evidence of active exploitation emerged.

The vulnerability reportedly allows:

• Remote code execution
• Unauthorized command execution
• Access policy abuse
• Edge appliance compromise
• Initial enterprise access

CISA added the flaw to its Known Exploited Vulnerabilities catalog due to active attacks in the wild.

SSH Access Establishment

Once the attackers compromised the F5 BIG IP appliance, they used it as a launch point to establish SSH sessions into internal Linux hosts.

This is critically important.

The attackers did not immediately deploy malware across the environment.

Instead, they leveraged:

• Existing privileged accounts
• SSH trust relationships
• Administrative credentials
• Network adjacency
• Internal visibility

This reduced detection opportunities significantly.

Attack Chain

A realistic F5 BIG IP exploited for SSH access attack chain may involve:

1. Internet facing F5 BIG IP discovery
2. Exploitation of vulnerable appliance
3. SSH access establishment
4. Internal network reconnaissance
5. Linux system compromise
6. Credential harvesting
7. NTLM relay operations
8. Confluence exploitation
9. Active Directory targeting
10. Domain level compromise

This multi stage approach demonstrates strong operational discipline.

Internal Reconnaissance

Researchers observed attackers using:

• gowitness for screenshot collection
• SOCKS5 proxying
• Nmap network enumeration
• Kerbrute for Active Directory reconnaissance
• Custom scanning tools

The attackers focused heavily on:

• Internal web services
• Confluence environments
• Authentication systems
• Windows infrastructure
• Identity services

Credential Attacks

The attackers also attempted:

• NTLM relay attacks
• Credential harvesting
• Active Directory enumeration
• Lateral movement operations

This demonstrates how edge appliance compromise quickly transitions into identity focused attacks.

Why Edge Appliances Are High Value Targets

The F5 BIG IP exploited for SSH access campaign highlights why attackers increasingly target edge infrastructure.

F5 BIG IP appliances commonly store:

• Authentication tokens
• VPN credentials
• Certificates
• Identity integrations
• Access policies
• Internal routing visibility

Compromising these devices often provides attackers with:

• Low visibility access
• Internal network trust
• Credential exposure
• Hybrid cloud access
• Enterprise pivot opportunities

Threat Actor Tactics

Threat actors exploiting F5 BIG IP systems increasingly combine:

• Edge appliance exploitation
• SSH pivoting
• Identity attacks
• NTLM relay operations
• Cloud infrastructure abuse
• Hybrid network compromise
• Active Directory targeting
• Credential harvesting

The shift toward edge infrastructure attacks reflects a major evolution in enterprise intrusion tactics.

Why This Issue Matters

Why F5 BIG IP Exploited for SSH Access Matters for Enterprises

The F5 BIG IP exploited for SSH access campaign creates major risks for organizations operating hybrid environments.

Enterprise Risks

Large enterprises frequently deploy F5 BIG IP systems across:

• Data centers
• Cloud infrastructure
• VPN gateways
• Identity platforms
• Application delivery environments
• Remote access systems

A successful compromise may expose:

• Internal Linux systems
• Active Directory environments
• Identity infrastructure
• VPN credentials
• Cloud integrations
• Enterprise authentication systems

Cloud Security Risks

The compromised appliance in this campaign operated inside Azure infrastructure.

This demonstrates how attackers increasingly target:

• Hybrid cloud infrastructure
• Cloud hosted edge appliances
• Virtualized BIG IP deployments
• Infrastructure as code environments

SMB Risks

Small businesses face elevated risk because many organizations:

• Run unsupported appliances
• Delay patching edge infrastructure
• Lack edge device monitoring
• Expose management interfaces publicly
• Trust VPN infrastructure implicitly

Operational Risks

A successful F5 BIG IP compromise may cause:

• Identity compromise
• SSH based lateral movement
• Active Directory exposure
• Internal reconnaissance
• Credential theft
• Network persistence
• SOC visibility gaps

Regulatory Risks

Organizations affected by edge appliance compromise may face exposure under:

• HIPAA
• PCI DSS
• GDPR
• SOC 2
• ISO 27001
• NIST frameworks

Potential Attack Scenarios

VPN Gateway Compromise

Attackers exploit vulnerable F5 BIG IP systems exposed to the internet.

The attackers gain SSH access into internal Linux infrastructure.

Cloud Infrastructure Pivot

Compromised Azure hosted BIG IP appliances provide attackers visibility into hybrid enterprise environments.

Identity Infrastructure Attack

Threat actors target Active Directory environments using Kerbrute and NTLM relay techniques after edge compromise.

Confluence Exploitation

Attackers identify internal Atlassian systems and pivot into collaboration environments.

Stealthy Persistence Scenario

The attackers maintain hands on keyboard SSH access without deploying obvious malware, reducing detection opportunities.

Detection and Monitoring Strategies

How to Detect F5 BIG IP Exploited for SSH Access Activity

Organizations should immediately strengthen monitoring around edge infrastructure.

Logging Recommendations

Monitor:

• SSH logins originating from BIG IP devices
• Unexpected appliance activity
• Network scanning behavior
• Internal reconnaissance
• Confluence access anomalies
• Kerberos authentication enumeration

EDR Monitoring

EDR platforms should detect:

• Unauthorized SSH sessions
• NTLM relay attempts
• Credential harvesting
• Lateral movement activity
• Unusual Linux process execution
• Network reconnaissance behavior

SIEM Correlation

SOC teams should create detections for:

• SSH traffic from edge appliances
• Internal scanning activity
• Kerbrute execution
• NTLM authentication anomalies
• Confluence exploitation attempts
• Active Directory reconnaissance

Threat Hunting Guidance

Threat hunters should search for:

• BIG IP originated SSH traffic
• Suspicious SOCKS5 proxy usage
• Credential relay indicators
• Internal enumeration behavior
• Identity attack patterns
• Persistence mechanisms

Identity Security Monitoring

Monitor for:

• Kerberos enumeration
• Privilege escalation
• NTLM relay attempts
• Credential misuse
• MFA bypass attempts
• Unusual administrative access

Mitigation Recommendations

How to Mitigate F5 BIG IP Exploited for SSH Access Risks

Organizations should immediately harden edge infrastructure.

Recommended Security Actions

• Patch F5 BIG IP appliances immediately
• Retire end of life BIG IP systems
• Restrict SSH access aggressively
• Harden VPN gateway configurations
• Enable MFA everywhere possible
• Restrict management interface exposure
• Segment edge infrastructure
• Monitor BIG IP activity continuously
• Harden Active Directory protections
• Disable unnecessary NTLM usage
• Enforce SMB signing
• Conduct vulnerability management reviews
• Expand threat hunting operations
• Harden cloud hosted BIG IP deployments
• Conduct incident response exercises
• Implement Zero Trust architecture

Additional Security Measures

Organizations should also:

• Audit all internet facing appliances
• Harden hybrid cloud infrastructure
• Improve SIEM visibility into edge systems
• Monitor Linux SSH access closely
• Restrict privileged accounts
• Expand identity security monitoring

Why Cybersecurity Teams Should Pay Attention

The F5 BIG IP exploited for SSH access campaign reflects a major industry shift.

Attackers increasingly target:

• Edge appliances
• VPN infrastructure
• Load balancers
• Identity gateways
• Cloud edge systems
• Hybrid infrastructure
• Access management platforms
• Internet facing devices

The reason is simple.

Edge infrastructure provides attackers with:

• Trusted internal positioning
• Credential exposure
• Low visibility persistence
• Enterprise network access
• Identity integrations
• Cloud connectivity

The F5 BIG IP exploited for SSH access campaign also demonstrates why Zero Trust principles matter for infrastructure systems.

Organizations cannot blindly trust:

• Edge appliances
• VPN gateways
• Identity infrastructure
• Internal SSH trust relationships
• Hybrid cloud connectivity

Trust must be continuously validated.

Key Takeaway

The F5 BIG IP exploited for SSH access campaign demonstrates how attackers increasingly target edge infrastructure to gain stealthy access into enterprise environments.

Researchers observed attackers using compromised F5 BIG IP appliances to establish SSH access, conduct internal reconnaissance, target Active Directory systems, and expand lateral movement operations across hybrid enterprise networks.

The attack reinforces several critical cybersecurity lessons:

• Edge appliances are prime attack targets
• End of life infrastructure creates major risk
• Hybrid cloud environments expand attack surfaces
• Identity systems remain high value targets
• SSH trust relationships require stronger monitoring
• Zero Trust architecture is increasingly critical

Organizations should prioritize:

• Edge infrastructure patching
• Vulnerability management
• Identity security
• SSH monitoring
• Threat hunting
• Hybrid cloud hardening
• Incident response readiness
• Continuous infrastructure visibility

Modern cybersecurity increasingly depends on securing the edge systems attackers now target first.Organizations should patch BIG IP appliances immediately, retire unsupported systems, restrict management access, monitor SSH activity, and strengthen identity security controls.

Why are edge appliance attacks increasing?

Edge appliances provide attackers with trusted internal access, low visibility persistence, cloud connectivity, and opportunities for lateral movement into enterprise infrastructure.