Hackers broke into an unpatched F5 edge appliance at a global enterprise, rode its privileged SSH access into the company's Linux network, and ultimately compromised Active Directory by chaining two year-old vulnerabilities Microsoft had repeatedly warned defenders to patch, according to a threat intelligence report the company published Thursday.

The intrusion shows how devices deployed as security boundaries—firewalls, VPN concentrators, load balancers—are increasingly the weakest link when organizations let vendor support lapse. The victim ran F5 BIG-IP Virtual Edition 15.1.201000, which reached end-of-life on December 31, 2024, leaving it without patches for nearly five months before the breach.

Microsoft's Defender Security Research team traced the full kill chain: initial access through the Azure-hosted F5 appliance, lateral movement across Linux hosts using sudo credentials, reconnaissance with Nmap and custom scanning tools, exploitation of an internal Atlassian Confluence server, credential theft from configuration files, and finally a relay attack against domain controllers using CVE-2025-33073, a Windows SMB flaw Synacktiv researchers disclosed in June 2025 that lets any authenticated user escalate to SYSTEM privileges.

The F5 appliance likely fell through a known gap. CVE-2025-53521, a critical remote code execution bug in BIG-IP Access Policy Manager with a CVSS score of 9.8, was originally disclosed in October 2025 as a denial-of-service issue. F5 reclassified it as an RCE flaw in March 2026, and CISA added it to its Known Exploited Vulnerabilities catalog on March 27. Shadowserver Foundation reported more than 17,000 vulnerable IP addresses exposed to the internet at the time, with over 240,000 BIG-IP instances visible online as of April.

Once inside, the attackers moved methodically. They used the F5 appliance's SSH access to reach internal Linux systems, deployed reconnaissance tools including a custom ELF binary Microsoft tracks as HackTool:Linux/MalPack.B, and scanned for application servers. The group found an unpatched Atlassian Confluence instance—not exposed to the internet, but reachable from the compromised network—and exploited it to steal credentials stored in server.xml and confluence.cfg.xml files.

Those credentials opened the path to Windows. The attackers used netexec and Kerbrute to enumerate domain accounts, manipulated DNS records to poison name resolution, and coerced authentication requests with PetitPotam, a technique that forces domain controllers to initiate NTLM handshakes. They relayed those handshakes through CVE-2025-33073, which bypasses SMB signing requirements and achieves authenticated remote code execution as SYSTEM. CISA flagged active exploitation of that flaw in October 2025.

"This attack reflects a broader pattern where perimeter devices become persistent footholds because they sit outside traditional endpoint monitoring," Microsoft's researchers wrote in Thursday's report. "Organizations often patch servers and workstations on strict schedules but leave appliances running legacy firmware until a visible incident forces remediation."

F5 itself suffered a separate, unrelated breach last year. In October 2025, the company disclosed on its website that a sophisticated nation-state actor had maintained long-term access to parts of its corporate environment and exfiltrated files from BIG-IP product development systems. That breach did not involve CVE-2025-53521, but it underscored the value attackers place on network infrastructure vendors.

The timing compounds the risk. Both CVE-2025-53521 and CVE-2025-33073 have been on CISA's Known Exploited Vulnerabilities list for weeks, with federal agencies under binding operational directives to patch or mitigate by set deadlines. The intrusion documented by Microsoft suggests those deadlines matter beyond the .gov perimeter—especially for edge devices that often run years behind internal patch cycles.

Microsoft did not name the victim organization or disclose how the intrusion was ultimately detected. The company traced command-and-control traffic to 206.189.27[.]39 but did not attribute the activity to a known threat group. The absence of attribution may reflect the attackers' operational security or the reality that many intrusions now blend commodity techniques from multiple playbooks rather than fitting a single group's profile.

Organizations running BIG-IP appliances should verify they are on supported software versions and prioritize patching CVE-2025-53521. Those with domain-joined Windows systems should ensure SMB signing is enforced on all hosts and check for indicators of CVE-2025-33073 exploitation, including unexpected SYSTEM-level processes spawned from SMB services. SSH access from edge appliances into production networks should be logged, monitored, and restricted to the narrowest necessary scope—or eliminated entirely where jump hosts can mediate the access instead.