Threat hunters and defenders started 2025 in the opening scenes of a bad sequel. In the early weeks of January, federal cyber authorities and researchers once again warned that attackers were exploiting a zero-day vulnerability in Ivanti Connect Secure.
The critical unauthenticated stack-based buffer overflow vulnerability, CVE-2025-0282, was exploited and later discovered almost exactly one year after a threat group exploited a pair of separate zero-days — CVE-2023-46805 and CVE-2024-21887 — in the same Ivanti product.
The outbreak of new software defects in the same product from the same vendor would be less nerve-wracking if it wasn’t so frequent, furthering an unstable environment for enterprises. Exploited vulnerabilities in the network devices and services organizations rely on for defense facilitate intrusions they are designed to prevent.
Security gear and services running at the perimeter of enterprise networks — from firewalls and VPNs to routers — are a common and persistent intrusion point for cyberattacks.
During the last two years, financially-motivated and nation-state linked attackers widely exploited vulnerabilities in network edge devices sold by Barracuda, Cisco, Citrix, Fortinet, Ivanti, Juniper, Palo Alto Networks, and SonicWall, among others.
Network security tool exploits have ensnared organizations across sectors, from government agencies to some of the most valuable publicly-traded companies in the world, including Boeing and Comcast.
The Cybersecurity and Infrastructure Security Agency was among those hit by the early 2024 spree of zero-day exploits in Ivanti Connect Secure, the remote access VPN the agency used at the time of the attack.
“It’s easy to feel fatigue from the constant stream of vulnerabilities, but this kind of initial access vulnerability in network devices is particularly dangerous due to the severe post-exploitation consequences,” said Himaja Motheram, security researcher at Censys.
Contradictions abound in network security devices
Organizations buy and deploy firewalls and VPNs to improve their defenses and prevent intrusions. The unintended aftermath wrought by those purchases and deployments contradicts the very purpose of what customers are trying to achieve with network security gear.
When malicious hackers exploit vulnerabilities in edge devices, it’s not the vendors that get hit — it’s their customers.
“It’s easy to feel fatigue from the constant stream of vulnerabilities, but this kind of initial access vulnerability in network devices is particularly dangerous due to the severe post-exploitation consequences.”
Himaja Motheram
Security researcher at Censys
Remote-access tools such as self-managed VPNs were the primary intrusion point for ransomware attacks in 2023, accounting for 3 in 5 attacks, according to research from cybersecurity insurance firm At-Bay.
Enterprises that don’t consider network edge devices a potential risk are leaving their networks exposed. Stronger vulnerability management programs can help organizations avoid exploits, but there’s little they can do to defend against actively exploited zero days or vulnerabilities that are publicly disclosed but not yet fixed by the vendor.
“If it’s not something in your face all day, it’s so easy to forget about,” said Kyle Hanslovan, CEO at Huntress, a managed EDR vendor.
Attackers view network security gear as a prime target for multiple reasons. They provide capabilities, including highly privileged access and control, that align with attackers’ objectives, said John Dwyer, director of security research at Binary Defense.
“We don’t consider them with the same scrutiny as we do any other asset on our network, and I think that that’s a misconception,” Dwyer said. “At the end of the day, security tools have more benefits than negatives, but every asset on your network is an attack vector.”
Firewall sales account for nearly half of all revenue in the network security market, said Mauricio Sanchez, senior director of enterprise security and networking research at Dell’Oro Group.
“At the end of the day, security tools have more benefits than negatives, but every asset on your network is an attack vector.”
John Dwyer
Director of security research at Binary Defense
Palo Alto Networks has a commanding lead in the firewall segment, closing the second quarter of 2024 with a 29% share of the market, research from Dell’Oro Group and Gartner shows. The next closest competitors in the firewall segment include Fortinet, Cisco and Check Point Software Technologies.
Attackers actively exploited vulnerabilities in each of these vendors’ firewalls or VPNs during the last year, according to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog.
Firewalls and VPNs — a security paradox
Threat groups that target security equipment and services for zero-day attacks and exploits are also keenly aware of an inherent weakness in network security architecture.
Firewalls, routers, VPNs and VMware hypervisors “don’t typically support endpoint detection and response solutions,” Mandiant Consulting CTO Charles Carmakal said during a media briefing at the RSA Conference last year.
These systems don’t allow administrators to log into a device, view the operating system command line and view files in the system, Carmakal said. This disadvantage “creates a huge challenge for victim organizations to even discover that their devices have been compromised and that malware has been deployed on it.”
“They’re just staying in the corner of the network where they can’t be seen. You see that all the time.”
Sam Rubin
SVP of consulting and threat intelligence at Palo Alto Networks’ incident response firm Unit 42
EDR products for VPN appliances, routers and firewalls simply don’t exist. “Truly running something on an embedded device is hard, it’s minimal,” Hanslovan said.
These lightweight devices need to process data with extreme efficiency, and vendors in this space don’t allow third-party software to run on their kit or systems.
“You can’t install an agent on these devices. You can’t unpack them and do incident response,” said Raj Samani, SVP and chief scientist at Rapid7. “That’s why they’re being targeted.”
Threat groups that want to gain a foothold into an organization’s network are “operating on systems that don’t have the detection capability,” said Sam Rubin, SVP of consulting and threat intelligence at Palo Alto Networks’ incident response firm Unit 42.
“They’re just staying in the corner of the network where they can’t be seen. You see that all the time,” Rubin said.
Edge devices here to stay
Despite the steady barrage of attacks linked to software defects in firewalls, VPNs and other network edge devices, cybersecurity experts expect them to stick around.
“I don’t see a world where there’s a revolt against firewalls and VPNs,” said Emily Mossburg, global cyber leader at Deloitte. “Firewalls and VPNs are so entrenched that you won’t see them go away.”
The unresolved problems in enterprise network security go deeper than edge devices and their lack of oversight or endpoint detection, security experts told Cybersecurity Dive.
“We’re not asking enough of the cultural and architectural changes first,” Hanslovan said. “In some ways, EDR is addressing a symptom, an important symptom, rather than maybe putting more emphasis on the core cause.”
Organizations are rapidly adopting digital transformation and innovation, but they aren’t paying down the legacy tech debt from yesteryear fast enough, Hanslovan said.
“The thing with hardware is that it’s very difficult to update — if it gets updated at all, if it hasn’t been end-of-lifed, if the manufacturer is still in business.”
Sherrod DeGrippo
Director of threat intelligence strategy at Microsoft
The established frameworks of network perimeter architectures and security processes puts defenders in a constant state of worry. The creativity and persistence of threat groups allows them to find holes in these systems and wrest deeper control in victim environments by preying on their weaknesses.
“The thing with hardware is that it’s very difficult to update — if it gets updated at all, if it hasn’t been end-of-lifed, if the manufacturer is still in business,” said Sherrod DeGrippo, director of threat intelligence strategy at Microsoft.
“We’ve got to find a better solution to that,” DeGrippo said. “I think [the] enterprise unfortunately has got to dig down to the harder aspect of updating some of those devices, those pieces of things that aren’t really hosts, and start incorporating those into their vulnerability programs.”
Source link
