Bypass Record

Exploitation for Priv-Esc × F5 BIG-IP Virtual Edition 15.1.201000

A publicly-reported instance of Exploitation for Priv-Esc bypassing F5 BIG-IP Virtual Edition 15.1.201000, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

F5 BIG-IP Virtual Edition 15.1.201000

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2026-05-22

Config / version noted

Yes

Provenance

Microsoft Threat Intel
disclosed 2026-05-22 · original source · via ir

Reported as

Initial access via compromised F5 BIG-IP (EOL version) allowed SSH to internal Linux host with privileged account.

Mechanism

Initial access via compromised F5 BIG-IP (EOL version) allowed SSH to internal Linux host with privileged account. Reconnaissance identified unpatched Confluence server; attacker exploited vulnerabilities for remote code execution. Confluence credentials were used for NTLM relay attacks against Active Directory, bypassing endpoint controls.

Detection & mitigation

Monitor SSH connections from edge devices to internal hosts, especially using privileged accounts. Detect Nmap scans, gowitness usage, and NTLM relay tools (e.g., responder, ntlmrelayx) via endpoint and network telemetry. Enforce patch management for edge appliances and SaaS applications.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Bitdefender Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET Fortinet Google HitmanPro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.