Critics are now asking why basic vulnerabilities such as buffer overflows, command injections, and SQL injections are still being exploited in supposedly hardened systems built by companies whose entire business is meant to be, well, security.
watchTowr chief executive Benjamin Harris said: “These are vulnerability classes from the 1990s, and security controls to prevent or identify them have existed for a long time. There is really no excuse."
For years, enterprises have depended on firewalls, routers, VPN servers and email gateways to guard the perimeter. Increasingly, though, these same devices have become the weak links in the chain.
Google’s Threat Intelligence Group tracked 75 exploited zero-day vulnerabilities in 2024, with nearly one in three targeting network and security appliances. That figure is absurdly high given the vast range of systems available for attackers to abuse.
The trend has carried into 2025, with attackers continuing to pick off vendors such as Citrix NetScaler, Ivanti, Fortinet, Palo Alto Networks, Cisco, SonicWall and Juniper. These network edge boxes make prime targets because they sit on the internet, hold privileged credentials, escape endpoint protection, and rarely feed data into central logging.
Researchers have been flagging holes in these systems for more than a decade, but until recently only a few opportunists had bothered exploiting them. That changed as ransomware groups and state-sponsored hackers realised how much easier it was to crack an under-patched firewall than to fish for passwords.
The pandemic gave them a golden opportunity. Companies rushed to install VPNs, firewalls and web gateways to keep staff working from home, creating a sprawling attack surface of poorly maintained remote access gear. Combined with phishing’s declining success rate, it was only a matter of time before attackers shifted focus.
“It is now easier to find a 1990s-tier vulnerability in a border device where Endpoint Detection and Response typically isn't deployed, exploit that, and then pivot from there,” Harris said.
He acknowledged that building secure systems is hard work, but said many of the bugs discovered in the past two years were so basic they should have been caught instantly.
“Some VPN flaws were trivial to the point of embarrassing for the vendor,” Harris said, adding that even the more sophisticated bugs should have been detected with routine code reviews or automated scanning tools.
Part of the problem lies in legacy code. Many of these appliances contain software written more than a decade ago, and layers of ancient code can make even simple fixes risky and time-consuming.
Attackers often chain several vulnerabilities together to gain access, and some defenders argue that the increase in visible attacks reflects improved monitoring rather than a surge in new exploits. More teams are finally peering into what’s happening on their edge devices instead of assuming the shiny box in the server rack was keeping everything safe.