A successful exploitation of this chain gives attackers administrative control over Active Directory, which governs access to every system, application, and user account in the organization. Azure-hosted infrastructure access compounds this: cloud workloads, storage, and identity systems become reachable without additional exploitation. Regulatory exposure is significant for organizations in financial services, healthcare, or critical infrastructure, where AD compromise triggers mandatory breach notification and incident reporting obligations. Reputational and operational risk is high — AD compromise typically requires a full rebuild of directory services, with recovery timelines measured in days to weeks and direct costs often exceeding seven figures.
You Are Affected If
You are running F5 BIG-IP v15.1.x (specifically v15.1.201000 or any v15.1 build), which reached end-of-life on December 31, 2024, and is internet-facing or reachable from untrusted networks
Your Atlassian Confluence instance is unpatched and accessible from internal network segments reachable by the F5 or adjacent Linux hosts
Service accounts used by Confluence or adjacent applications have embedded credentials stored in Confluence pages, macros, or configuration files
CVE-2025-33073 has not been patched on Windows systems hosting or adjacent to Active Directory domain controllers
Your Active Directory environment does not have LLMNR and NBT-NS disabled via Group Policy, leaving Kerberos relay attack surface open
Board Talking Points
Attackers exploited an expired, unsupported network appliance to steal credentials and gain administrative control over Active Directory and cloud systems — the kind of access that can shut down operations entirely.
IT and security teams should immediately take the expired F5 appliance offline, apply the available Microsoft patch for CVE-2025-33073, and audit Confluence for stored credentials — all actions completable within 48 to 72 hours.
Without action, an attacker with Active Directory control can lock out all users, exfiltrate every data asset the organization holds, and extend access into cloud environments with no additional effort.
HIPAA — Active Directory compromise in healthcare environments directly exposes systems handling electronic protected health information (ePHI), triggering breach assessment obligations under 45 CFR § 164.402
PCI-DSS — AD and Azure compromise in environments where domain accounts govern access to cardholder data systems constitutes a reportable incident under PCI-DSS Requirement 12.10
NERC CIP — Exploitation of internet-facing edge appliances providing access to operational technology networks may trigger NERC CIP-007 and CIP-010 incident reporting obligations for covered electric utilities
