It’s an endless drumbeat: cyber news of legacy firewalls being targeted, most often by nation-state attackers.Over the past several months, we’ve seen reports of China-linked group Storm-1849 spending the month of October attacking Cisco ASA firewalls.
SonicWall on Nov. 19 sent out an advisory to its customers about a high-severity vulnerability in its SonicOS operating system. This followed a move earlier in November in which SonicWall also attributed the September cyberattack against its MySonic Wall accounts that exposed firewall backup files to a state-sponsored threat.GreyNoise on Oct. 8 assessed with “high confidence” that attacks on networking devices from Cisco, Palo Alto Networks, and Fortinet were part of a coordinated campaign driven by the same threat actor.Recent research by FireMon Insights may explain why attackers keep targeting legacy firewalls: 60% of enterprise firewalls fail high-severity compliance checks immediately upon evaluation, with another 34% falling short at critical levels. FireMon researchers said these aren’t just technical oversights, they’re signs of deeper governance issues that can lead to audit failures, operational downtime, and increased exposure to threats."In today’s multi-vendor firewall landscape — SonicWall, Cisco, Palo Alto, Fortinet, you name it — the real challenge isn’t the volume of alerts, it’s the fact that defenders are drowning in vendor-defined noise while adversaries move with zero friction,” said Aaron Beardslee, manager of threat research at Securonix.Attackers don’t care which firewall brand an organization uses, said Beardslee, they probe them all the same way, exploiting whichever CVE is easiest, chaining behaviors across edges, VPNs, and segmentation layers faster than most teams can triage a single ticket.“Security organizations must break out of the old model of blindly trusting each vendor’s severity ratings and instead normalize everything into a unified risk framework driven by asset criticality, exploitability, and real-world threat intel,” said Beardslee.
Jason Soroko, a senior fellow at Sectigo, said security teams need to start with a full inventory of internet-facing SonicWall, Cisco and Palo Alto devices, identifying which are exposed and whether they are running vulnerable versions, then applying vendor patches or mitigations as quickly as possible with emergency change windows if needed.In parallel, Soroko said security teams should harden these systems by restricting management access to trusted networks or VPNs, enforcing strong authentication, disabling unused services and legacy protocols, and tightening access control lists to only necessary sources and destinations. “Teams can then elevate detection through focused logging of authentication events, configuration changes and unusual traffic patterns from firewalls into a SIEM with tailored alerts for known indicators, and brute force or spray attempts,” said Soroko.Jake Ouellette, lead incident detection engineer at Blumira, added that many of the most recent firewall attacks have been relatively predictable and have targeted exposed services such as SSLVPN or admin portals. Ouellette said security teams should prioritize their focus on understanding what their firewall is exposing to the public internet, adding that many of these services can be turned off altogether, if not used or enabled in some better, more secure way. “Once a firewall is compromised, attackers can exploit the ‘hard shell, soft interior’ nature of most networks, moving laterally with relative ease while potentially establishing backdoors on compromised firewalls through new user accounts or firewall rules that survive remediation efforts,” said Ouellette.Nevan Beal, principal MDR analyst at Blackpoint Cyber, said his teams routinely observe these firewall appliances being probed and abused in two main ways:First, attackers exploit newly disclosed vulnerabilities, often at scale and within days of public release. Second, via authentication abuse, in which attackers use stolen credentials, password spraying, or brute force attempts to log in through the VPN as a valid user. Beal said both paths lead to the same outcome: rapid foothold establishment and escalation inside the network.“Once access is gained through a VPN or firewall service, threat actors typically move fast,” said Beal. “The team sees them creating or hijacking accounts, expanding privileges, moving laterally, dumping credentials, and pivoting into internal services to find sensitive systems and data. The initial appliance compromise is rarely the end goal. It’s the first step toward reaching the crown jewels of the environment.”Beal recommended prioritizing the following controls:
Exposure management
Limit access to VPN and management interfaces to known sources. Use conditional access, IP allowlists, or a dedicated VPN.
Do not expose the authentication or administrative panels to the internet unless there’s a clear operational need.
Disable or remove unused services and portals on the appliance (for example legacy VPN modes, web admin over WAN, or test interfaces) to minimize reachable attack paths.
Implement asset inventory and exposure scanning to track all internet facing appliances, their versions, and patch status, and to quickly identify new or unapproved edge devices.
Harden authentication
Require MFA for all VPN access and block logins for users who are not enrolled.
Prefer phishing resistant options where possible, such as certificate based authentication or hardware backed MFA.
Enforce strong account lockout and password spraying protections. If supported, enable botnet or anomaly based filtering.
Tighten directory and group controls
Remove broad LDAP or AD user groups from VPN access.
Create a dedicated, non default VPN access group and require explicit membership for authorization.
Use LDAPS with certificate validation for directory lookups.
Restrict LDAP bind accounts to read only scope and monitor for abnormal bind activity.
Patch and monitor with urgency
Keep SSL VPN and firewall appliances fully patched and on supported versions. Treat internet-facing edge bugs as emergency fixes.
Subscribe to vendor security advisories and track exploitation in the wild so patching follows active threat, not just severity scores.
Monitor VPN logs for exploit indicators, new account creation, unusual geolocation access, and spikes in failed authentication attempts.
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
The expanded SASE platform features the ZAgent Framework, enabling administrators to manage configurations, troubleshooting, and policies using natural-language prompts.
The newly identified issue, similar to a previously patched vulnerability in the Windows Snipping Tool (CVE-2026-33829), resides in the search URI handler.
