Firewalls, VPNs, routers, and load balancers were never supposed to be the soft underbelly of enterprise security. For years, defenders treated them as trusted gatekeepers. Attackers have spent the past two years methodically proving that assumption wrong—and 2026 data shows the assault is accelerating.
The numbers that define this threat are not subtle. The Verizon Data Breach Investigations Report for 2025 documented an eight-times increase in exploitation targeting network edge devices compared to the prior year. Exploitation of these devices jumped from 3 percent of breaches to 22 percent in a single reporting cycle. GreyNoise's State of the Edge dataset, covering 2.97 billion sessions observed across sensors in more than 80 countries during the second half of 2025, found that malicious activity averaged roughly 212 sessions per second against edge infrastructure throughout that period.
The Scale of the Problem
Google Mandiant's 2025 zero-day review tracked 90 zero-day vulnerabilities across the year and found that 48 percent targeted enterprise-grade technology. Fourteen zero-days specifically affected edge devices—a figure Google itself acknowledges likely underrepresents actual activity, given how difficult it is to detect compromise on appliances that cannot run endpoint detection and response software. Mandiant's M-Trends 2025 report found that 33 percent of incidents began with vulnerability exploitation, with 21 percent of ransomware attacks specifically leveraging edge vulnerabilities for initial access.
One cyber insurance company reported that organizations running on-premises VPNs faced up to 6.8 times the risk of cyberattack compared to peers without them. Eclypsium's January 2026 analysis noted that the 2025 Verizon DBIR found network device vulnerabilities are often exploited on or before the day of their public disclosure, while patches take a median of 30 days or more to deploy. That gap—disclosure to patch—is where attackers operate. For end-of-support devices, that gap is permanent.
Why Edge Devices Are the Preferred Target
The logic is straightforward and uncomfortably sound. Routers, firewalls, VPN gateways, load balancers, and wireless access points sit precisely where an organization's internal network meets the public internet. They carry enormous privilege: they route all traffic, integrate with identity management systems, and are trusted by everything behind them. Compromising one gives an attacker a vantage point that is difficult to detect and expensive to remove.
Compounding this, edge devices are structurally resistant to standard defensive tooling. You cannot install EDR on a firewall. Logging is often minimal by default. Firmware updates require maintenance windows that can disrupt operations, creating organizational pressure to delay patching—sometimes indefinitely.
"The absence of EDR technology on most edge devices, like routers, switches, and security appliances, can create a blind spot for defenders, making it an ideal attack surface." — Google Cloud Threat Intelligence, 2025 Zero-Day Review
End-of-support (EOS) devices amplify every one of these risks. When a manufacturer stops issuing security updates for a product, any vulnerability discovered after that date will never be patched. CISA has stated explicitly that it is aware of widespread exploitation campaigns targeting EOS edge devices. These devices are attractive precisely because defenders have no vendor recourse.
Nation-State Actors and the Edge
State-sponsored groups have treated edge devices as a strategic priority for years, but the tactical sophistication on display in 2025 and into 2026 represents a qualitative shift. Three campaigns illustrate the current landscape.
Russian GRU / Sandworm. Amazon Threat Intelligence published findings in December 2025 documenting a years-long Russian state-sponsored campaign that has evolved its methodology significantly. Between 2021 and 2022, the group exploited WatchGuard devices via CVE-2022-26318. By 2024, they were chaining Veeam exploitation (CVE-2023-27532) with edge device targeting. By 2025, the activity shifted further: the group concentrated on misconfigured customer network edge devices rather than zero-days, reducing their own operational exposure while achieving identical outcomes.
"This tactical adaptation enables the same operational outcomes—credential harvesting and lateral movement—while reducing the actor's exposure and resource expenditure." — Amazon Threat Intelligence, December 2025
Amazon assessed with high confidence that this activity is linked to Sandworm, also tracked as APT44 and Seashell Blizzard. The group's post-compromise behavior follows a consistent pattern: compromise a customer edge device, then attempt to authenticate against the victim organization's online services using harvested credentials. Documented targets included electric utility organizations, energy providers, and managed security service providers serving the energy sector.
China-nexus operations. TeamT5 researchers documented 27 critical vulnerabilities affecting edge infrastructure throughout 2025, with China-nexus actors responsible for a substantial share of exploitation. These groups have developed custom backdoors designed for specific device families—firmware-level implants that survive both software updates and system restarts. French cybersecurity agency ANSSI documented a campaign in which a Chinese-linked intrusion set (Houken, overlapping with UNC5174) exploited three Ivanti Cloud Services Appliance zero-days against French government, telecommunications, media, finance, and transport sectors. The attackers deployed a Linux kernel module called sysinitd.ko that hijacks inbound TCP traffic across all ports, enabling root-level command execution even after the device is patched at the software level.
The ArcaneDoor and Pacific Rim campaigns. Cisco's Adaptive Security Appliances were targeted in the ArcaneDoor campaign, executed by nation-state actors to infiltrate government and industrial networks while maintaining covert long-term access. The Pacific Rim campaign pointed to China-based operators targeting Sophos firewalls and VPN gateways via CVE-2020-12271 and CVE-2022-1040. Chinese groups tracked as Huapi and SLIME86 have also been observed breaching IT service providers before pivoting downstream into government and critical infrastructure networks through what researchers term the "Fail-of-Trust Model"—inheriting access through compromised supply chain relationships.
Ransomware Groups Follow the Same Playbook
What began as a predominantly nation-state tactic has been adopted by financially motivated criminal groups with notable speed. The Akira ransomware operation illustrates how this plays out operationally. Field Effect documented a sustained SonicWall exploitation campaign in which Akira operators used valid credentials tied to historic compromises, linked to CVE-2024-40766. The group authenticated into high-privilege systems, disabled security controls, staged and exfiltrated data, then deployed ransomware in a double-extortion model.
"Some organizations hadn't applied the patch. Others had, but failed to rotate credentials that were exposed while the system was vulnerable. So 'we patched' wasn't the end of the story. The compromise lived on in credential reuse." — Field Effect 2026 Cyber Threat Outlook Report
Ransomware families including Conti, REvil, Hive, and Cring have all been observed exploiting CVE-2020-12812, a five-year-old Fortinet vulnerability. As of January 2026, Shadowserver tracked more than 10,000 Fortinet firewalls still vulnerable to this attack, with over 1,300 in the United States alone—five years after CISA added it to the Known Exploited Vulnerabilities catalog.
Operationally Relay Boxes (ORBs) have also become a key component of this threat. Attackers compromise edge devices—including consumer routers, DVRs, and small-office appliances—and repurpose them as relay infrastructure to anonymize command-and-control traffic and evade IP-based blocklists. In September 2024, Cloudflare mitigated what it described as the largest DDoS attack in recorded history, originating from a botnet of compromised edge devices. GreyNoise found that a credential-spraying campaign against U.S. Remote Desktop services expanded from 2,000 to 300,000 participating IP addresses over just 72 days, with 73 percent of those IPs classified as residential connections—centrally coordinated through compromised consumer devices carrying no prior malicious history.
Applying a patch to a compromised edge device does not remove an attacker who has established persistence at the firmware or kernel level. Organizations exposed during a zero-day window must treat affected devices as compromised, conduct forensic review, and consider full decommission and replacement rather than patch-only remediation.
CISA Draws a Hard Line: BOD 26-02
On February 5, 2026, CISA issued Binding Operational Directive 26-02, the most concrete federal policy response to the sustained campaign against edge infrastructure. The directive requires all U.S. Federal Civilian Executive Branch agencies to manage the lifecycle of edge devices against a strict timeline: inventory all EOS devices within 3 months (by May 5, 2026), decommission listed devices within 12 months, replace all EOS devices within 18 months, and establish continuous discovery processes within 24 months.
"The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant." — CISA, Binding Operational Directive 26-02, February 2026
The directive covers load balancers, firewalls, routers, switches, wireless access points, network security appliances, IoT edge devices, and software-defined networking components. While BOD 26-02 legally applies only to federal civilian agencies, CISA explicitly urges all network defenders to follow the same guidance. Joseph M. Saunders, founder and CEO of RunSafe Security, noted that "unsupported edge devices are not just an IT lifecycle issue—they represent a direct risk to physical operations," particularly in OT environments where breached edge infrastructure can provide access to systems controlling physical processes.
Live Exploits in 2026: CVEs to Know Now
The vulnerability landscape for edge devices in early 2026 is active, not theoretical. Several vulnerabilities are being exploited in the wild right now.
CVE-2026-1281 and CVE-2026-1340 (Ivanti EPMM). On January 29, 2026, Ivanti disclosed two critical vulnerabilities in Endpoint Manager Mobile carrying a CVSS score of 9.8, allowing unauthenticated remote code execution. Both were exploited as zero-days prior to disclosure. Germany's BSI found evidence of exploitation dating back to July 2025—meaning attackers had six months of undetected access before disclosure. CISA added CVE-2026-1281 to its KEV catalog with a three-day remediation deadline. Palo Alto Networks Unit 42 identified over 4,400 exposed EPMM instances and observed deployment of web shells, cryptocurrency miners, a persistent backdoor, and the Nezha monitoring utility previously seen in China-linked activity. Rapid7 assessed that any organization exposing vulnerable EPMM to the internet at the time of disclosure should treat those instances as compromised and initiate incident response immediately.
# Search EPMM HTTP daemon logs for exploitation of CVE-2026-1281 / CVE-2026-1340
# Vendor-supplied detection regex (Ivanti security advisory, January 2026)
^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404CVE-2020-12812 (Fortinet SSL-VPN). Fortinet issued a fresh warning in late December 2025 about renewed abuse of this five-year-old authentication bypass. As of January 2026, Shadowserver tracked over 10,000 Fortinet firewalls still vulnerable, with more than 1,300 in the United States alone. APT5, Iranian-backed actors, Russian SVR operatives, and ransomware families have all exploited this vulnerability in documented attacks. Its persistence is a case study in the lifecycle management failure that BOD 26-02 was designed to address.
CVE-2024-40766 (SonicWall SSL-VPN). The entry point for the Akira ransomware campaign documented by Field Effect. Organizations that patched without rotating credentials exposed during the vulnerability window remained open to follow-on attacks—underscoring that patching and credential hygiene are two separate, non-optional remediation steps.
Key Takeaways
- Patch and rotate credentials, in that order: Patching a vulnerable edge device is necessary but not sufficient. Any device that was vulnerable and internet-facing must be treated as potentially compromised, with a full credential rotation for any credentials that could have transited that device during the exposure window.
- End-of-support devices are an unacceptable operational risk: A device that no longer receives security updates accumulates unpatched vulnerabilities indefinitely. Build lifecycle management into procurement and budgeting as an operational discipline, not a one-time remediation project. BOD 26-02 is the federal mandate; the logic applies universally.
- Assume firmware-level persistence is possible after any long-term exposure: Sophisticated actors can implant code that survives patching and rebooting. For devices suspected of extended compromise, full decommission and hardware replacement is the only reliable remediation. Forensic investigation should precede any decision to patch and retain.
- Management interfaces must never be exposed to the internet: Exposed management interfaces remain a primary initial access vector. Audit all edge devices, disable any internet-facing management panels, and enforce network segmentation that isolates management traffic from production environments.
- Monitor for post-exploitation identity abuse: Once inside an edge device, credential replay against cloud services and identity providers is the consistent next move. Implement authentication anomaly detection, monitor for logins from unexpected geographic locations, and review extended historical windows after any suspected device compromise.
The edge device problem has moved from a recognized risk to an active crisis. Agencies, enterprises, and critical infrastructure operators face attackers who are automated, patient, and operating at scale. The 212 malicious sessions per second that GreyNoise documented are not random noise—they are organized, coordinated campaigns probing for the gaps that defenders have not yet closed. BOD 26-02 is a signal that policymakers understand the stakes. The question now is whether organizations, federal and private alike, can build the operational discipline to match the pace of exploitation.
Sources
CISA, Binding Operational Directive 26-02, February 5, 2026 — Amazon Threat Intelligence, Russian Cyber Threat Group Targeting Western Critical Infrastructure, December 2025 — Google Cloud Threat Intelligence, 2025 Zero-Days in Review, March 2026 — Field Effect, 2026 Cyber Threat Outlook Report, March 2026 — GreyNoise / Help Net Security, State of the Edge H2 2025, February 2026 — Eclypsium, Fortinet Under Fire: Network Edge Attacks Start Strong in 2026, January 2026 — Palo Alto Networks Unit 42, CVE-2026-1281 and CVE-2026-1340 Exploitation, February 2026 — Rapid7, CVE-2026-1281 and CVE-2026-1340 ETR, January 2026 — SecurityWeek, Ivanti Exploitation Surges, Traced to July 2025, February 2026 — ANSSI / The Hacker News, Chinese Hackers Exploit Ivanti CSA Zero-Days, July 2025 — NSA / CISA, Security Considerations for Edge Devices, February 2025