WithSecure Reveals Mass Exploitation of Edge Software and Infrastructure Appliances

Written by

Vulnerabilities in edge services and infrastructure devices are being increasingly exploited by cyber threat actors, according to a new report by WthSecure.

Edge services, pieces of software installed at the edge of a network and accessible from both the internet and the internal network, are attractive to threat actors because they make a perfect initial access point into a network.

There has recently been an explosion in the exploitation of vulnerable edge software, with security incidents including MOVEit, CitrixBleed, Cisco XE, Fortiguard’s FortiOS, Ivanti ConnectSecure, Palo Alto’s PAN-OS, Juniper’s Junos, and ConnectWise ScreenConnect.

Traditionally, these exploited edge services are installed on infrastructure devices, also known as appliances. These devices are provided by a supplier without additional security tooling, with complete supplier-defined software and hardware. The most common infrastructure devices include firewalls, VPN gateways and email gateways.

Edge Security Flaws Consistently on the Rise

In the introduction of its report, WithSecure reminded its readers that many recent reports indicate that mass exploitation may have overtaken botnets as the primary vector for ransomware incidents, and there has been a rapid tempo of security incidents caused by mass exploitation of vulnerable software.

Based on this hypothesis, the Finland-based company wanted to determine to what extent edge services vulnerability exploits played a crucial role in this trend.

WithSecure analyzed some trends that set edge service and infrastructure vulnerabilities apart from other vulnerabilities within the Known Exploited Vulnerability (KEV) catalog, a list of known exploited critical vulnerabilities maintained by the US Cybersecurity and Infrastructure Security Agency (CISA).

The firm found that over the past few months, more edge service and infrastructure vulnerabilities were added to the KEV list than regular vulnerabilities.

For instance, while the monthly number of common vulnerabilities and exposures (CVEs) added to the KEV list has dropped in 2024 compared with 2023 (-56%), the monthly addition of edge service and infrastructure CVEs rose by 22% over the same period.

While the overall trend in monthly exploited vulnerabilities has been inconsistent over the past three years, monthly exploited edge vulnerabilities, by contrast, have been consistently rising since 2022.

Source: WithSecure
Source: WithSecure

Additionally, edge service and infrastructure vulnerabilities added to CISA’s KEV list tend to be more impactful than other types of CVEs, with an 11% higher severity scoring for these specific CVEs over the past two years of KEV data.

What’s hot on Infosecurity Magazine?