Three Key Takeaways:

1. Edge devices like routers, firewalls, and gateways are increasingly targeted by attackers because they are often inadequately maintained despite serving as the first line of defense for networks.

2. Recent vulnerabilities demonstrate that many organizations fail to apply critical security patches even years after they become available, leaving systems exposed to exploitation.

3. Effective vulnerability management requires a comprehensive approach including regular patch management, continuous monitoring, secure configuration reviews, and honest assessment of organizational security posture.

In many instances, the best policies are simple strategies such as using strong, unique passwords for every account or independently verifying the identity of anyone asking for personal information. These are easy recommendations to make because they are simple to incorporate and proven to be effective. Protecting edge devices such as routers, gateways, and firewalls may not be repeated as often as these other fundamentals, but given the current threat landscape, bad actors are increasingly recognizing the difficulty in attacking the well defended central infrastructure of IT systems and are focusing their efforts on exploiting end-user devices on the perimeter as the first step in gaining access to their targets.

Edge devices operate on the periphery of a network, close to the sources of data, where they serve to regulate access between internal systems and external networks. For this reason alone, one might think that edge devices would be treated as the first line of defense and would receive both regular scrutiny and frequent updates. However, one of today’s most severe security risks is CVE-2020-12812, which is resulted from unpatched Fortinet firewalls, estimated to affect over 10,000 systems. The vulnerability allows attackers to bypass two-factor authentication (2FA) by simply changing the case of the username. Even though this flaw was recognized and patched in 2020, many systems remain unaddressed, creating a serious security concern. Fortinet firewall exploits have been leveraged by various hacker groups and state actors in the past, and it is thought that this trend will continue as long as the firewalls remain unpatched.

Cisco recently reported a zero-day vulnerability (CVE-2025-20393) being used to compromise AsyncOS, specifically targeting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. Cisco became aware of a cyberattack campaign exploiting this vulnerability on December 10, 2025, and evidence suggests that a Chinese advanced persistent threat (APT) actor tracked as UAT-9686 was actively exploiting this flaw to gain root access to install persistent backdoors such as AquaShell in late November. While Cisco has since released software updates remediating this issue, many systems continue to operate with the older, vulnerable software, leaving them exposed to attack

Within the past few days, Arctic Wolf has detected attacks on Fortinet Fortigate devices that leverages vulnerabilities (CVE-2025-59718 and CVE-2025-59719), allowing attackers to make changes in the firewall, exfiltrate data, and create persistent accounts. Fortinet currently recommends restricting administrative access to end-user devices, disabling FortiCloud SSO logins, and monitoring for suspicious access attempts. 

The attacks on Fortinet and Cisco systems highlight the critical importance of robust vulnerability management practices, especially for internet-facing devices such as firewalls, VPNs, and remote access servers. According to RSAC’s AI Assistant, successful management strategies should include:

1. Patch Management: Regularly scheduled patch management should be part of every IT organization’s routine. Updates are frequently released not only to streamline performance but also as a means of addressing known security vulnerabilities. Unpatched software can frequently provide attackers with a soft target for attack that may result in data exfiltration or ransomware.

2. Vulnerability Assessment: Organizations need to take an honest look at their vulnerability posture on a regular basis as well. Having an accurate understanding of relative strengths and weaknesses will allow organizations to develop effective plans for addressing areas of need. This should also involve assessing threat exposure related to edge devices, which can often be an arduous task due to the number and possible remote locations of these devices.

3. Monitoring for Exploitation: Sustained attacks are a reality. This is a situation where it is necessary to plan for the worst by employing constant monitoring and threat detection. Ideally, these efforts will help to serve as an early alert to an attempted attack or to minimize exposure in the event of an actual breach.

4. Secure Configuration: What has worked in the past will not necessarily work for the future, or even the present. Like patch management, it is vital to regularly review firewalls and other gateways to ensure optimal configuration for security as well as usability. This includes reviewing and reducing firewall rule sets and ensuring that any untouched configurations from years past are evaluated for their continued relevance.

5. Vendor Communication and Collaboration: It is always recommended to engage with vendors and explore the most up-to-date software solutions and understand what options are available to maximize defenses. 

Organizational defenses are only as strong as the weakest individual components. In many instances, edge devices serve as the softest attack point for cybercriminals. Often, this is due to the sheer number and diversity of devices. Edge devices can also be housed in separate or remote physical locations, making them more difficult to access. It is vital for organizations to recognize the risk exposure that these devices represent and to take steps to remediate their vulnerabilities. In addition to the steps listed, it is vital to remain informed on the latest trends in the cybersecurity industry. Stay up-to-date on the latest approaches that attackers are employing as well as the best methods for staying ahead of them with the RSAC membership portal featuring advice from industry-leading experts and resources on everything cybersecurity related.