VPN Firewall Vendors and Threat Actors Continue the Battle into 2025
Two newly exploited vulnerabilities with Fortinet and Ivanti VPN devices illustrate the ongoing struggle and pressure faced by firewall vendors. We've already seen this play out with Sophos as revealed in a recent report, but also with other vendors during the past year.
Starting the new year, the U.S. CISA agency maintaining the Known Exploited Vulnerabilities (KEV) catalog has been warning on 2 vulnerabilities within Fortinet and Ivanti VPN, which are being exploited in the wild (CVE-2024-55591 and CVE-2025-0282, respectively).
CVE-2024-55591 found in FortiOS and FortiProxy, enables unauthenticated attackers to obtain super-admin privileges over affected systems through specially crafted requests. Fortunately, the attack seems to leverage the firewall's management interface, which tends to be less exposed on the internet than the typical VPN entry points.
However, it seems this vulnerability confirms the trend where firewalls are being exploited weeks or even months before the vendor is aware of ongoing threat campaigns. In this case, security company Arctic Wolf identified exploitation activity prior to disclosure of this vulnerability including observation of unauthorized administrative logins, account creation, and configuration changes dating back to mid November 2024, at least 2 months prior to a patch release (and more until devices in the field are actually patched).
VPN gateways and Next-Generation Firewalls (NGFWs) are by definition exposed online and "sitting" on the public internet, making them an attractive target for exploitation, especially because it does not involve user interaction or social engineering.
That's why a recent data leak comes as no surprise: a threat actor released the configuration files for 15,000 Fortinet firewalls, including associated admin and user credentials. They were all obtained as far back as October 2022, apparently via another well known and much older FortiOS vulnerability (CVE-2022–40684). What's worrying is that many of the devices are still exposed and vulnerable online as of today.
To illustrate the exposure potential (and attractiveness of Fortinet from the malicious actor perspective), here's a map of active Fortinet devices online worldwide as of January 2025:
The other vulnerability making rounds since the beginning of the year is CVE-2025-0282, identified in Ivanti VPN appliances. This one is potentially more dangerous as it affects all devices from the vendor (not only those with the exposed management interface). It allows a remote, unauthenticated attacker to execute arbitrary code on vulnerable systems, including stealing credentials for further lateral movement within an organization IT network.
Ivanti revealed the vulnerability on January 8, 2025, and it was promptly included in CISA’s KEV catalog because of its exploitation being observed in the wild. However, an investigation by Mandiant and Ivanti suggests the exploitation dating back to mid-December 2024 (again, too much time is elapsing before the vendor is even aware of ongoing exposure, let alone a patch is provided).
Although Ivanti has a lower count of appliances than Fortinet, the vulnerable VPN entry point is much more accessible. A first victim is already known, UK domain registry Nominet, but there are probably others. Although Ivanti has urged customers to patch, a residual number of unpatched appliances is still seen online as of writing (see Shadowserver Foundation here).
NGFW Under Siege - Time to Rethink with SASE
We're seeing essentially the same trend continuing into 2025: firewall vendors are being extensively researched for vulnerabilities by well-funded threat actor groups, often backed by nation-states. These groups develop exploits and initiate threat campaigns to compromise as many devices as possible before the vendor becomes aware of the exploitation.
As revealed in the previously mentioned insider report by Sophos, the challenge then is not only to develop patches, but to have them installed on all affected devices worldwide. That is huge logistical challenge, and practice shows it always happens too late, months after the threat campaign is deployed.
The traditional model of having firewall 'boxes' installed and managed by customers or even MSSPs at their locations is increasingly unsustainable. Remote telemetry and response capabilities are too slow to counter real-time offensive activities targeting thousands of 'boxes' globally.
As a result, vendors are shifting to an as-a-service model through ZTNA/SASE private access, hosted by the vendor, to enable a quicker response to the now routine level of adversarial activity.
![[Webinar Feb, 20th 2025] Effectively Managing Human Cybersecurity Risk](https://static.wixstatic.com/media/6681e7_d02e06e52f524701abe43b8fdf259ce8~mv2.png/v1/fill/w_1224,h_1220,fp_0.50_0.50,q_95,enc_auto/6681e7_d02e06e52f524701abe43b8fdf259ce8~mv2.png)
![[Webinar Feb, 7th 2025] How the Cyber Resilience Act Prepares You for Future Cybersecurity Challenges](https://static.wixstatic.com/media/6681e7_2bef27f1f1064b4c90845cd74e3259d9~mv2.png/v1/fill/w_1220,h_1220,fp_0.50_0.50,q_95,enc_auto/6681e7_2bef27f1f1064b4c90845cd74e3259d9~mv2.png)