The past year has seen a surge in publicly disclosed vulnerabilities in edge security devices, something that has been a boon for attackers and a tremendous challenge for enterprise security teams, as new data collected in the Verizon 2025 Data Breach Investigations Report (DBIR) shows.
Edge security devices such as firewalls, VPN appliances, and WAFs are at or near the top of the target list for many threat actors because they sit at the boundary of internal and external networks and can serve as privileged entry points into otherwise protected environments if they’re compromised. There have been plenty of edge device vulnerabilities recently to help them achieve their goals. Ivanti, Palo Alto Networks, Cisco, Juniper, SonicWall and other vendors all took their turns in the spotlight in 2024, and attackers certainly took notice. Verizon’s data shows that vulnerability exploitation was the initial access vector in 20 percent of breaches last year, a 34 percent increase from the previous year.
A non-trivial chunk of that increase is attributable to exploitation of vulnerabilities in edge security devices by both cybercriminals and APT groups. While credential abuse is still the most frequent initial access vector in breaches, vulnerability exploitation is gunning for that number one spot. From a Censys perspective, 13 of the 66 Rapid Response advisories we published in 2024 concerned vulnerabilities in edge security products.
“Regardless, we can draw a very straight line from this exploitation of vulnerability growth to the deluge of edge device vulnerabilities that plagued defenders throughout 2024. This tactic has been leveraged successfully by both ransomware operators and espionage-motivated threat actors with great success,” the report says.
It stands to reason that credential misuse/abuse would remain the top initial access vector for breaches, given the absolute surfeit of stolen and leaked credentials flooding the internet at any given time. Finding valid credentials for a target service/device in a given organization is usually considerably easier and less noisy than deploying an exploit against a vulnerability, and adversaries will typically gravitate toward the things that just work, regardless of their technical sophistication. No need for a zero day when you have the password.
But when there is a Cheesecake Factory menu of vulnerabilities (and often public exploit code) available, adversaries are perfectly happy to take advantage of those, as well.
“In fact, exploitation of vulnerabilities as an initial access vector for espionage-motivated breaches goes as high as 70% in the analyzed time period. That result of 22% in VPN and edge devices is almost eight times the amount of 3% found in last year’s report, illustrating the challenges defenders have been facing with securing those devices,” the report says.
“Exploitation of vulnerabilities via Web application still figures prominently, as we also had some vulnerabilities affecting management consoles of firewalls and other security devices that would be represented in that category. All in all, those findings reinforce the old adage that ‘any device can be an edge device if you are brave enough.’”
There is some reason for optimism out there on the edge, though. Verizon found that organizations remediated 53% of edge security device vulnerabilities in the CISA Known Exploited Vulnerabilities (KEV) Catalog in the last year, far more than the 38% remediated for all bugs in the KEV overall. That’s good! It’s an indication that security teams are prioritizing the bugs in these edge security devices, as they should.
Organizations can’t fully prevent vulnerabilities in third-party products, but they can control the way they respond to those disclosures, and prioritizing bugs in critical security devices is a positive sign. Here’s hoping that trend continues in 2025.
Images from 2025 Verizon Data Breach Investigations Report
