The Lurking Threat of Edge Security Products

The internet is dark and full of terrors, a fact that has been driven home in the last few weeks by the steady stream of serious vulnerabilities in edge security products. The same products that are meant to protect networks from threats have become favorite targets for attackers, who are often finding them to be easy entry points for those environments.

Since 2021, exploitation of perimeter devices as a means of initial access has offset the conventional belief that phishing is the most common intrusion vector. Routine disclosure of severe vulnerabilities in edge devices, such as VPN appliances and file transfer services, have made them an appealing vector for threat actors involved in Big-Game Hunting (BGH). Through mass exploitation of these vulnerable systems, threat actors can then look for specific organizations that match their target profile, such as high net worth companies for ransomware actors.

In just the last two calendar months alone, the Cybersecurity and Infrastructure Security Agency (CISA) has added seven vulnerabilities in security devices to its Known Exploited Vulnerabilities (KEV) catalog. Several of these bugs involve some form of authentication bypass that allows an adversary to gain privileged access to the device or even execute arbitrary commands. Just this week, authentication bypass vulnerabilities in security products from Palo Alto Networks (CVE-2025-0108) and SonicWall (CVE-2024-53704) were added to the KEV, and in late January CISA added a separate critical remote code execution flaw (CVE-2024-23006) in the SonicWall Secure Mobile Access VPN to the KEV.

That’s quite a buffet of vulnerabilities for attackers to choose from, and it doesn’t even include the much broader menu of bugs in security devices that aren’t known to have been exploited yet. For example, last week Ivanti disclosed four critical vulnerabilities in its Connect Secure, Policy Secure, and Cloud Services Appliance products, which are all very popular in enterprise settings. Censys data shows more than 14,000 Connect Secure devices exposing a version that may be vulnerable to three of those flaws (CVE-2025-22467, CVE-2024-38657 and CVE-2024-10644). New data compiled by security vendor Darktrace shows that 40 percent of exploitation activity last year targeted internet-facing devices such as firewalls, routers, VPN appliances, and others. More recently, researchers from Recorded Future’s Insikt Group observed Salt Typhoon, a Chinese state-backed actor, exploiting known vulnerabilities in Cisco’s IOS XE software in a campaign targeting telecom companies in the U.S.

Concerns about the prevalence of vulnerabilities in security devices have been a constant theme in the security community for many years, and CISA, the FBI, and other federal agencies have warned enterprise defenders repeatedly about activity from Chinese, Russian, and North Korean actors targeting these bugs. In January, CISA detailed campaigns by unnamed threat actors who chained together several Ivanti vulnerabilities in attacks on at least three separate organizations. Adversaries pay close attention to public vulnerability reports–in addition to doing their own original vulnerability research in some cases–and know that not only are these devices widely deployed, they often have management consoles exposed to the internet, making them ripe for exploitation. Targets abound.

For defenders, edge security products such as firewalls, VPNs, and others have become a double-edged sword. They’re necessary elements of an enterprise network security architecture, but they can be serious liabilities if not configured properly and monitored and updated regularly. That last bit can be especially tricky, since most admins aren’t very eager to take security products offline to update them, something that adversaries know well and are happy to use to their advantage.

Staying on top of vulnerability reports and updates for security devices can be a daunting task for even well-resourced security teams, but the importance of doing so has never been clearer. One way to augment those efforts is with the use of a tool such as Censys’s Attack Surface Management, which monitors external network surfaces and helps discover hidden weaknesses and gives network and security teams a constantly updated picture of their exposure.  If updating right away isn’t always an option, implement whatever mitigations possible to lessen the threat, such as restricting access to management interfaces. Hackers gonna hack, but we can do our best to make it as difficult as possible for them.