The past 18 months have been shaped by a surge in brute-force attacks and critical vulnerabilities (CVEs) targeting VPNs, authentication services, privilege elevation, and denial of service across the network security landscape. This timeline outlines key advisories and CVEs beginning with Cisco Talos’ landmark SSL VPN brute-force advisory in March 2024 and culminating in the most recent threat signals as attacks evolve to breaching network security vendors directly.     

Cisco Talos Sounds the Alarm 

March 2024: Cisco Talos began monitoring a large-scale surge in brute-force attacks targeting VPNs, SSH services, and web authentication interfaces. These attacks were largely indiscriminate, originating from TOR exit nodes and anonymizing proxies, and aimed at services including Cisco Secure Firewall VPN, Check Point VPN, Fortinet VPN, SonicWall VPN, RD Web Services, and others.  

The brute-force attempts used both generic and organization-specific usernames, leading to account lockouts, unauthorized access, and denial-of-service (DoS) conditions. 

However, there were earlier signs in February 2024 to indicate that at least three CVEs on Fortinet VPN Vulnerabilities were already actively being exploited. 

• CVE-2024-21762: A critical out-of-bounds write vulnerability in the FortiOS SSL-VPN component that could enable unauthenticated attackers to execute arbitrary code or commands. This vulnerability was actively exploited by threat actors. 
• CVE-2024-23113:  A format string vulnerability in the FortiOS SSL-VPN that could allow unauthenticated attackers to execute arbitrary code or commands. 
• CVE-2024-50562: An improper access control vulnerability in the SSL-VPN cookie, which could allow for insufficient session expiration.  

The Original “Blast-RADIUS” Vulnerability  

July 2024: The disclosure of CVE-2024-3596 known as Blast-RADIUS, marked a pivotal moment in the evolution of authentication-related vulnerabilities. Unlike traditional brute-force or credential stuffing attacks, Blast-RADIUS exploited a cryptographic weakness in the RADIUS protocol itself, allowing attackers to forge authentication responses without needing credentials or shared secrets. 

The flaw affected any RADIUS implementation based on RFC 2865, making it protocol-level and vendor-agnostic. This means that hundreds of products across dozens of vendors are vulnerable, including: Cisco ASA, FTD, FMC, Meraki MX, Duo Proxy, ISE, Catalyst SD-WAN, Nexus, UCS, Juniper Networks: SRX and MX series, Microsoft: NPS (Network Policy Server), Red Hat: FreeRADIUS and PAM modules, SonicWall, Fortinet, Aruba, Palo Alto Networks, and numerous other vendors.  

The vulnerability sparked widespread concern due to its stealthy nature and broad applicability. Security researchers emphasized that Blast-RADIUS was not just a bug, but a fundamental flaw in the protocol design, akin to Heartbleed or Log4Shell in terms of systemic risk.  

The Blast-RADIUS disclosure accelerated several industry-wide shifts: 

1. Migration to Encrypted RADIUS: Organizations began transitioning to RADIUS over TLS/DTLS, especially in cloud and hybrid environments.
2. Protocol Audits: Vendors initiated cryptographic reviews of legacy protocols, including TACACS+, LDAP, and Kerberos.
3. Authentication Hardening: Businesses adopted multi-factor authentication (MFA) and certificate-based access to reduce reliance on vulnerable protocols.
4. Zero Trust Adoption: The event reinforced the need to deny access by default, identity aware policy-based access control, and secure access service edge (SASE) with zero trust network micro-segmentation. 

SonicWall SSL VPN Exploitation  

August 2024: SonicWall confirmed that recent attacks on Gen 7 firewalls with SSL VPN enabled were linked to CVE-2024-40766, a critical improper access control vulnerability disclosed related to unauthorized access and firewall crash (denial of service). 

Attack Vectors: 

• Password re-use during migration from Gen 6 to Gen 7 firewalls
• Brute-force and MFA bypass attempts
• Deployment of Akira ransomware following initial access 

SonicWall advisory emphasized that the threat was not a zero-day, but rather a result of unpatched systems and poor credential hygiene.  

Cisco VPN Brute Force Denial of Service Vulnerability 

October 2024: Cisco disclosed CVE-2024-20481, a vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This flaw allowed unauthenticated attackers to trigger DoS by flooding VPN authentication requests, exhausting system resources. 

The vulnerability was actively exploited and added to CISA’s Known Exploited Vulnerabilities catalog. Cisco confirmed the link between this CVE and the brute-force activity observed earlier in the year. 

WatchGuard Global SSL Brute-Force Activity Bulletin 

October 2024: WatchGuard similarly observed global SSL VPN credential and authentication brute-force activities significantly increased in scale. A Knowledge Base Article with information and best practices for dealing with brute-force disruptions is continually being updated based on the systemic risk posed by these vulnerabilities. 

Microsoft observes intrusion activity successfully stealing credentials in password spray attacks 

October 2024: Since August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks. Microsoft has linked the source of these password spray attacks to a network of compromised devices tracked as CovertNetwork-1658, also known as xlogin and Quad7 (7777). 

Password spaying attacks on Citrix NetScaler/Gateway 

December 2024: Some of these attacks have targeted NetScaler appliances. Cloud Software Group has collaborated with affected customers to analyze the issues and recommend remediations. These attacks are consistent with password spraying attacks and are distinct from brute force attacks – instead of trying many passwords against a single account, attackers try a small set of common passwords against many accounts to avoid detection and account lockouts. 

SonicWall – SSL VPN Authentication Bypass Vulnerabilities 

January 2025: Another series of vulnerabilities and CVEs issued by SonicWall included: 

• CVE-2024-40762 - SonicOS SSLVPN Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass.
• CVE-2024-53704 - SonicOS SSLVPN Authentication Bypass Vulnerability. An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.
• CVE-2024-53705 – SonicOS SSH Management Server-Side Request Forgery Vulnerability. A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall.
• CVE-2024-53706 - Gen7 SonicOS Cloud NSv SSH Config Function Local Privilege Escalation Vulnerability. A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only) allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution. 

Ivanti Connect Secure VPN and ZTA Gateway Zero-Day Exploit 

January 2025: Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. CVE-2025-0282 is a stack-based buffer overflow in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways that allows a remote unauthenticated attacker to achieve remote code execution, while CVE-2025-0283 allows a local authenticated attacker to elevate their privileges. 

Ivanti has released patches for the vulnerabilities exploited in this campaign, and Ivanti customers are urged to follow the actions in the Security Advisory to secure their systems. 

Fortinet warns of Authentication Bypass Zero-Day to hijack firewalls 

January 2025: Attackers are exploiting a new authentication bypass zero-day vulnerability in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks. This security flaw, CVE-2024-55591 impacts numerous Forti products and successful exploitation allows remote attackers to gain super-admin privileges by making malicious requests to the Node.js websocket module. 

Fortinet says attackers exploiting the zero-day in the wild are creating randomly generated admin or local users on compromised devices and are adding them to existing SSL VPN user groups or to new ones they also add. 

Critical CVEs Surface for Cisco VPN and Cisco Meraki Gateways  

June 2025: A new CVE-2025-20271 vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. This vulnerability is due to variable initialization errors when an SSL VPN session is established.  

An attacker could exploit this vulnerability by sending a sequence of crafted HTTPS requests to an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of all established SSL VPN sessions and forcing remote users to initiate a new VPN connection and re-authenticate. A sustained attack could prevent new SSL VPN connections from being established, effectively making the Cisco AnyConnect VPN service unavailable for all legitimate users. 

Multiple Vulnerabilities in Cisco Secure Firewall ASA and Secure Firewall Defense –Remote Access SSL VPN and Denial of Service  

August 2025: Cisco releases a cumulative security advisory affecting RADIUS remote code, IKEv2 denial of service, IPSec Denial of Service, DNS Inspection Denial of Service, Remote Access SSL VPN DoS, certificate DoS, VPN Web DoS, Authorization Bypass, and DHCP DoS among many others Cisco Event Response: August 2025 Cisco Secure Firewall ASA, Secure FMC, and Secure FTD Software Security Advisory Bundled Publication 

Surge in coordinated scans target Microsoft RDP and RD Web 

August 2025: GreyNoise Threat Signals releases early warning on a sudden surge in RDP Probing. GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. Nearly 2,000 IPs ‒ the vast majority previously observed and tagged as malicious ‒‒ simultaneously probed both Microsoft RD Web Access and Microsoft RDP Web Client authentication portals. The aim was clear--test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions. 

A shift from targeting Fortinet VPN to FortiManager 

August 2025 –GreyNoise Threat Signal releases early warning on the shift from brute-force attacks against targeting Fortinet SSL VPNs to traffic moving from FortiOS targeting to FortiManager.  GreyNoise research has shown that spikes in attacker activity often precede new vulnerabilities affecting the same vendor ‒ with 80 percent of observed cases followed by a CVE disclosure within six weeks. 

SonicWall Warns Customers to Reset Credentials after Security Breach 

September 2025: SonicWall warned customers today to reset credentials after their firewall configuration backup files were exposed in a security breach that impacted MySonicWall accounts. After detecting the incident, SonicWall has cut off the attackers' access to its systems and has been collaborating with cybersecurity and law enforcement agencies to investigate the attack's impact. 

This disclosure follows a resurgence by the Akira ransomware gang that continues to gain access to targeted networks via unpatched SonicWall CVE-2024-40766 improper access control vulnerability and may have access to backup firewall configurations from the MySonicWall security breach.  

Tactics, Techniques and Takeaways 

1. Brute-Force Attacks Are Evolving 
Brute-force methods remain prevalent, attackers are increasingly moving away from protocol exploits to leveraging custom TCP signatures, shifting to new TCP and client signatures, to configuration-level exploitation and privilege elevation (and even theft of firewall configuration back-ups). 

2. VPNs and Remote Access Remain Prime Targets 
Cisco, Fortinet, and SonicWall VPNs have been repeatedly targeted with attackers exploiting both brute-force techniques and CVEs to bypass access controls, forging authentication responses without needing credentials or shared secrets and causing Firewall and VPN denial of service (DoS) by flooding these services with unauthorized requests. 

3. Password-Spray Attacks are stealthier and highly evasive 
These attacks focus on the use of a rotating set of thousands of IP addresses at any given time and low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity. 

Turning Awareness Into Actions 

Brute-force, password spray and protocol-level exploits thrive on weak, default and static access controls, outdated configurations and unpatched infrastructure.  

Here’s how to disrupt the playbook: 

Strengthen Identity Security 

• Enforce Multi-Factor Authentication (MFA): Stop unknown, unverified users and credentials from gaining access, period.
• Enable Zero Trust Authentication Policies: Set zero trust access conditions for network location, geofence, and time schedule.
• Limit Concurrent Login Sessions:  Reject subsequent login attempts and limit concurrent user session by remote access and VPN clients.  

Update Firewall Software and Configurations  

• Set Geolocation Policy: Blocking incoming connections with a Geolocation policy is an effective way to prevent brute force attacks and mitigate current attacks from users outside your country. All incoming connections are handled by the policy, which can deny incoming connections before the request reaches on-premises servers, cloud gateways and cloud-based authentication services.
• Enable Botnet Detection: When enabled, the Botnet Detection service prevents any known botnet IP address from establishing a successful connection to the WatchGuard SSLVPN policy before it reaches the SSLVPN backend services and authentication services.
• Block Failed Logins: Use the Block Failed Logins feature to detect and prevent brute force attacks from within countries where you do business. This feature dynamically blocks all authentication attempts from a source IP address when there are repeated authenticate attempts with unknown users or invalid passwords.  

Consider One Powerful MDR Service 

Consider whether Managed Detection and Response is your forward path. MDR delivers precise, powerful protection without adding to your workload. Get full-stack coverage across WatchGuard endpoint, firewall, identity plus critical third-party cloud services ‒ all managed through one unified platform. 24/7 SOC combines AI-driven automation with real human expertise, cutting through the noise to stop threats faster. No endless alerts, no wasted time – just real security outcomes.