F5 BIG‑IP exploited for SSH

Microsoft disclosed on May 22 that a multi-stage Linux intrusion began with an exposed F5 BIG-IP edge appliance and expanded into an enterprise environment that included identity systems. Microsoft said the attacker pivoted from the appliance to an internal Confluence server, stole credentials, attempted Kerberos relay and moved toward Active Directory. Cyber Security News and other security outlets summarized the case on May 23 as an example of how a compromised management-plane device can become the first step in a broader enterprise breach. ### How did the intrusion start? Microsoft said the attack started with an internet-facing F5 BIG-IP device. In Microsoft’s account, the appliance was not the final target; it was the initial foothold that gave the actor a trusted position inside the environment. Microsoft said edge appliances often hold credentials, certificates, session material, authentication tokens and identity integrations that can be reused for lateral movement. (microsoft.com) F5 published a batch of BIG-IP security advisories on May 13, including CVE-2026-32673 and CVE-2026-32643, both of which describe ways a privileged attacker with management-plane access could execute arbitrary system commands. F5 said those issues affect the management side of BIG-IP rather than the data plane. ### Why does SSH access matter once an appliance is exposed? SSH access matters because it turns an edge box into an operating point inside the network. (microsoft.com) Cyber Security News reported that the actor gained SSH access on the compromised BIG-IP appliance and used it to pivot into enterprise Linux systems before the intrusion reached identity infrastructure. Microsoft’s write-up describes the same broader chain, though it focuses on the move from the appliance into an internal Linux host and then into identity paths. (my.f5.com) Microsoft said the actor then targeted an internal Confluence server for credential theft. From there, the company said, the attacker attempted Kerberos relay and other lateral movement steps associated with identity compromise. That sequence matters because it shows the break-in did not stop at perimeter access; it moved into systems that could authenticate or authorize further activity. (cybersecuritynews.com) ### Where did the attacker go after the first foothold? Microsoft said the campaign progressed from the F5 device to an internal Linux host and then toward Active Directory. Cyber Security News described the incident as “identity-focused” and said the attack ultimately accessed Active Directory. Microsoft said Defender products detected, blocked and helped reconstruct the intrusion path. (microsoft.com) CISA has separately warned that F5 devices remain attractive targets when unpatched or exposed. In March, CISA added an F5 BIG-IP remote-code-execution flaw, CVE-2025-53521, to its Known Exploited Vulnerabilities catalog, and the agency says the catalog is intended as a living list of flaws confirmed exploited in the wild. ### What should defenders look at first in a case like this? (microsoft.com) Microsoft’s case points first to exposed edge infrastructure, especially devices tied to directories, certificates and internal application trust. F5’s own advisories emphasize management-port and self-IP exposure, privileged roles and command execution risk on affected systems. CISA said in 2025 that a nation-state-affiliated actor had compromised F5 systems and exfiltrated source code and vulnerability information, a warning that federal agencies should treat F5 exposure as an urgent risk. (cisa.gov) That notice was separate from Microsoft’s May 2026 intrusion report, but it adds context to why defenders track BIG-IP advisories and the KEV catalog closely. (my.f5.com) ### What comes next publicly? F5’s next public milestones are updates to its security advisories and quarterly notification pages, which were posted on May 13 for the latest BIG-IP issues. Microsoft’s May 22 security blog is the primary public source on this specific intrusion chain, and CISA’s KEV catalog remains the government tracker for F5 vulnerabilities confirmed exploited in the wild. (my.f5.com) (cisa.gov)