HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Multi‑Stage Linux Intrusion via Compromised F5 Edge Appliance and Atlassian Confluence

Microsoft Defender uncovered a supply‑chain attack that started with a vulnerable F5 BIG‑IP edge device, pivoted to internal Linux servers, and culminated in admin‑level takeover of an on‑prem Confluence instance. The chain exposed credentials and internal documentation, highlighting the need for rigorous third‑party device hygiene.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 microsoft.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
microsoft.com

Multi‑Stage Linux Intrusion Leveraging Compromised F5 Edge Appliance and Atlassian Confluence

What Happened — Microsoft Defender researchers disclosed a chained attack that began with the compromise of an F5 BIG‑IP edge appliance, which was then used to pivot onto internal Linux servers and ultimately gain administrative control of an on‑premises Confluence instance. The adversary leveraged known vulnerabilities in both the F5 platform and Confluence to move laterally, harvest credentials, and exfiltrate internal documentation.

Why It Matters for TPRM

  • Third‑party network devices (e.g., F5) can become a foothold for attackers, extending risk to any downstream SaaS or on‑prem applications.
  • A breach of a collaboration tool like Confluence often yields privileged credentials and sensitive intellectual property, amplifying supply‑chain exposure.
  • Organizations that rely on mixed‑environment stacks must assess both the security posture of edge appliances and the patch cadence of integrated tools.

Who Is Affected — Enterprises that deploy F5 BIG‑IP (or similar ADCs) at the perimeter and use Atlassian Confluence for internal documentation, across sectors such as technology, finance, healthcare, and government.

Recommended Actions

  • Conduct an immediate inventory of all F5 devices and verify they are running the latest firmware; apply any pending security patches (e.g., CVE‑2025‑XXXX).
  • Review Confluence versions and patch any disclosed CVEs (e.g., CVE‑2024‑XXXXX).
  • Harden network segmentation between edge appliances and internal Linux hosts; enforce zero‑trust controls.
  • Perform credential rotation for accounts that accessed Confluence during the exposure window.

Technical Notes — The attack chain began with a remote code execution vulnerability in the F5 BIG‑IP traffic manager (CVE‑2025‑XXXX), allowing the threat actor to install a web shell. Using the foothold, the adversary harvested SSH keys and moved laterally to a Linux bastion host, where they exploited an unauthenticated Confluence plugin flaw (CVE‑2024‑XXXXX) to gain admin rights. Data exfiltrated included internal design documents and configuration files. Source: Microsoft Security Blog

📰 Original Source
https://www.microsoft.com/en-us/security/blog/2026/05/22/from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

Point-in-time vendor reviews miss incidents like this.

Verisq AI Trust Operations replaces the annual questionnaire with continuous third-party monitoring — so vendor exposure becomes audit evidence, not a once-a-year guess.

See how Verisq AI Trust Operations works →