Outdated BIG-IP Devices Expose Linux Networks Arabian Post

(MENAFN- The Arabian Post) clearfix">Hackers are exploiting unsupported F5 BIG-IP appliances to gain SSH access to enterprise Linux systems, turning trusted edge infrastructure into entry points for deeper attacks on identity systems and internal applications.

A May 22 threat intelligence disclosure detailed a multi-stage intrusion that began with an exposed F5 BIG-IP load balancer and moved through Linux infrastructure, an internal Atlassian Confluence server and eventually Active Directory. The case underlines a widening risk for organisations that continue to operate end-of-life appliances at the network perimeter, where devices often hold privileged credentials, certificates and trusted routes into sensitive systems.

The appliance identified in the attack was an Azure-hosted BIG-IP Virtual Edition running version 15.1.201000, a build associated with cloud deployments and commonly used in templates for BIG-IP instances. That version reached end-of-life on December 31, 2024, leaving organisations dependent on compensating controls rather than full vendor-backed security coverage.

Investigators found that the threat actor established SSH access from the F5 device to a Linux server by using a privileged account. The attacker did not need to install a conventional persistence mechanism because the account already provided sustained hands-on-keyboard access. That detail is significant for defenders: the compromise did not depend solely on malware but on the abuse of trusted access paths that many security teams may not monitor with the same intensity as Windows endpoints.

Once inside the Linux environment, the attacker conducted reconnaissance, searched for internal systems and identified a Confluence server with unpatched vulnerabilities. The server became the next pivot point. Attempts to drop payloads were blocked on hardened systems, prompting the attacker to use a Python-based FTP server on the first Linux host to transfer custom scanning tools and other payloads.

See also NuGet impostors expose developer secrets

The intrusion then shifted towards credential theft. Configuration files linked to Confluence were accessed to obtain credentials, which were then used in authentication attempts against Windows infrastructure. The campaign included NTLM and Kerberos-focused activity against the domain controller, showing how a breach that began on an edge appliance could evolve into an identity attack targeting the core of an enterprise network.

The incident reflects a broader change in attacker behaviour. Firewalls, VPN gateways, application delivery controllers and load balancers were once treated mainly as protective layers. They are now high-value targets because they are internet-facing, deeply trusted inside corporate networks and often less visible to endpoint detection tools. Attackers can use them to bypass controls, blend into administrative traffic and exploit outdated trust relationships.

F5's BIG-IP platform is widely used by large organisations for traffic management, application availability, access control and security. That footprint increases the potential impact when ageing deployments remain exposed. Security researchers have estimated that hundreds of thousands of internet-facing hosts sit behind BIG-IP instances, making asset inventory and lifecycle management central to risk reduction.

The latest case also follows a difficult period for F5 customers. In October 2025, F5 disclosed that a highly sophisticated nation-state actor had maintained long-term access to parts of its corporate environment and downloaded files from systems including its BIG-IP product development environment and engineering knowledge management platforms. The company said it had contained that activity and had not seen new unauthorised activity after its response.

Security concern has also been sharpened by CVE-2025-53521, a BIG-IP Access Policy Manager vulnerability that was recategorised in March 2026 as a critical unauthenticated remote code execution flaw. The vulnerability carries a CVSS v3.1 score of 9.8 and affects BIG-IP APM when an access policy is configured on a virtual server. It has been listed as actively exploited, with agencies in several countries urging immediate mitigation.

See also cPanel flaw exposes hosting defences

For enterprises, the central lesson is that edge appliances must be treated as high-value identity and access assets, not merely network hardware. Unsupported versions should be retired, externally exposed management interfaces restricted, administrative login patterns monitored and privileged accounts reviewed for unnecessary sudo rights or broad internal reach.

Defenders are also being urged to extend telemetry across Linux systems, SaaS platforms and identity infrastructure. The observed attack used custom ELF payloads as well as commodity tools for scanning, tunnelling and authentication attacks, but several stages were detectable through suspicious SSH logins, file enumeration, unexpected process execution by Java services and attempts to coerce authentication against domain controllers.

Patch management alone may not be enough where appliances are past vendor support or cannot be taken offline quickly. Organisations with older BIG-IP deployments face pressure to combine upgrades with threat hunting, SIEM integration, strict management-plane controls and checks for credential exposure in connected applications.

MENAFN23052026000152002308ID1111158864