Multi‑Stage Linux Intrusion Leveraging Compromised F5 Edge Appliance and Atlassian Confluence
What Happened — Microsoft Defender researchers disclosed a chained attack that began with the compromise of an F5 BIG‑IP edge appliance, which was then used to pivot onto internal Linux servers and ultimately gain administrative control of an on‑premises Confluence instance. The adversary leveraged known vulnerabilities in both the F5 platform and Confluence to move laterally, harvest credentials, and exfiltrate internal documentation.
Why It Matters for TPRM —
- Third‑party network devices (e.g., F5) can become a foothold for attackers, extending risk to any downstream SaaS or on‑prem applications.
- A breach of a collaboration tool like Confluence often yields privileged credentials and sensitive intellectual property, amplifying supply‑chain exposure.
- Organizations that rely on mixed‑environment stacks must assess both the security posture of edge appliances and the patch cadence of integrated tools.
Who Is Affected — Enterprises that deploy F5 BIG‑IP (or similar ADCs) at the perimeter and use Atlassian Confluence for internal documentation, across sectors such as technology, finance, healthcare, and government.
Recommended Actions —
- Conduct an immediate inventory of all F5 devices and verify they are running the latest firmware; apply any pending security patches (e.g., CVE‑2025‑XXXX).
- Review Confluence versions and patch any disclosed CVEs (e.g., CVE‑2024‑XXXXX).
- Harden network segmentation between edge appliances and internal Linux hosts; enforce zero‑trust controls.
- Perform credential rotation for accounts that accessed Confluence during the exposure window.
Technical Notes — The attack chain began with a remote code execution vulnerability in the F5 BIG‑IP traffic manager (CVE‑2025‑XXXX), allowing the threat actor to install a web shell. Using the foothold, the adversary harvested SSH keys and moved laterally to a Linux bastion host, where they exploited an unauthenticated Confluence plugin flaw (CVE‑2024‑XXXXX) to gain admin rights. Data exfiltrated included internal design documents and configuration files. Source: Microsoft Security Blog