Over the past three years, the number of critical vulnerabilities affecting network equipment has increased significantly. Firewalls, routers, and other security appliances are regularly targeted by attacks exploiting flaws in the software layer.
Whether launched by IABs (Initial Access Brokers), cybercriminal groups whose business model is based on selling initial access to infrastructure worldwide, or by government groups, this situation poses a major problem: many companies and institutions continue to expose vulnerable equipment online, sometimes several months after a patch is released. The observation of three high-severity vulnerabilities affecting Cisco, Palo Alto, and Fortinet equipment confirms this trend.
Thanks to our ONYPHE attack surface analysis platform, we were able to monitor the actions taken to address these vulnerabilities over time.
This bulletin presents the current status of these three major vulnerabilities and recommendations for limiting their impact.
Cisco CVE-2023-20198 Flaw – October 16, 2023
According to a security advisory published by Cisco on October 16, 2023, a critical vulnerability, identified as CVE-2023-20198, affects the web-based management interface for devices running IOS XE, the operating system for Cisco routers and switches.
This flaw allows an unauthenticated attacker to create an account with level 15 privileges on the device, equivalent to administrator access. Once this level of access is obtained, the attacker can execute arbitrary commands, compromising the integrity and security of the entire network. Despite Cisco’s release of patches, as of February 18, 2025, a significant number of devices remain vulnerable worldwide:
- 22,484 devices compromised worldwide
- 42,561 devices still vulnerable worldwide
- 125 devices compromised in France
- 327 devices vulnerable in France
When the vulnerability was disclosed, nearly 80,000 devices were exposed, including nearly 60,000 compromised over the course of a weekend.
This persistence of the vulnerability can be explained by the complexity of updating routing equipment. These devices handle large-scale traffic volumes, and a poorly executed update can cause major service interruptions.
As a result, operators are hesitant to apply patches immediately, often preferring to delay updates to avoid potential disruptions. This conservative approach unfortunately leaves a window of opportunity for attackers to exploit the vulnerability.
Palo Alto CVE-2024-3400 Flaw – April 12, 2024
On April 12, 2024, Palo Alto Networks published a security advisory regarding a critical vulnerability identified as CVE-2024-3400. This flaw affects the GlobalProtect functionality of PAN-OS, the operating system for Palo Alto Networks firewalls. It allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall, compromising the security of the device and the associated network. NGFW, Panorama, and Prisma Access cloud services are not impacted by this vulnerability.
Upon discovery of this vulnerability, Palo Alto Networks responded promptly by releasing patches for the affected versions of PAN-OS. This responsiveness has enabled a rapid reduction in the number of vulnerable devices, as described below:
- April 15, 2024: 39,307 vulnerable devices (986 in France)
- April 22, 2024: 10,024 vulnerable devices (179 in France)
- February 18, 2025: 860 vulnerable devices (15 in France)
This drastic reduction can be explained by the ease of updating and replacing firewalls. Unlike routers, these devices can be patched without major impact on the network, allowing for rapid intervention by administrators.
Fortinet CVE-2024-55591 Flaw – January 14, 2025
On January 14, 2025, Fortinet published a security advisory regarding a critical vulnerability, identified as CVE-2024-55591, affecting its FortiOS and FortiProxy products. This flaw allows an unauthenticated remote attacker to bypass authentication mechanisms by sending requests to the Node.js WebSocket module, granting them super-administrator privileges on compromised systems.
Despite the availability of patches, as of February 18, 2025, a significant number of devices remain vulnerable:
- 48,628 vulnerable devices worldwide
- 895 in France
What to do about these CVEs?
Vulnerabilities affecting network equipment pose a particular challenge. When a firewall or router is compromised, all traffic can be intercepted or modified. Several approaches can mitigate these risks.
Apply available patches
Updating devices as soon as a patch is released remains the most effective solution to prevent known vulnerabilities from being exploited. However, in some critical environments, updates cannot be applied immediately. They often require testing to ensure they do not disrupt network operations. This constraint can delay their deployment, leaving devices vulnerable for an extended period.
Replace equipment when necessary
When patching is too complex or impossible, replacing the hardware with a newer or unaffected model may be an alternative. This approach is more common for firewalls, which are often deployed redundantly and can be changed without impacting the infrastructure. However, replacing a router can be more difficult because these devices are typically integrated into large networks and require more planning.
Set up a double security barrier
The French National Agency for Information Systems Security (ANSSI) recommends an approach based on the use of two firewalls from different manufacturers to limit the impact of a vulnerability on a specific device.
This means that even if one device is affected by a CVE, the other remains active and applies the filtering rules.
This strategy limits the risks in the event of a compromise of one of the firewalls. However, it involves additional costs and more complex management, which can be a barrier for small and medium-sized businesses.
Anticipating the requirements of the NIS 2 directive
The NIS 2 directive, which strengthens cybersecurity obligations for many companies, requires better protection of network infrastructures. Adopting measures such as double-barrier protection and improving update processes is becoming essential to meet these new requirements. This regulatory change encourages organizations to further structure their vulnerability management and strengthen the security of their network equipment.
Furthermore, implementing an attack surface management solution such as ONYPHE allows for compliance and a higher level of cyber resilience.
The essentials
Network vulnerabilities continue to multiply, with active exploits targeting critical equipment. This ONYPHE situational awareness bulletin highlights the difficulty of patching certain infrastructures, which prolongs their exploitation by malicious actors.
While updating remains the best solution, it is sometimes impractical in critical environments. Adopting strategies such as double-barrier security or replacing equipment then becomes necessary to mitigate risks. Faced with the growing requirements of NIS 2, organizations will need to adapt their vulnerability management to effectively protect their network infrastructures.
About ONYPHE:
ONYPHE is an attack surface management solution that monitors the exposure of vulnerable devices on the internet by analyzing IP addresses, accessible services, URLs, and indicators of active exploitation.
By collecting real-time data on over 300 million domains and nearly 500 million active IP addresses (IPv4 and IPv6 combined), ONYPHE helps identify affected systems, assess the risks posed by these assets, and track the evolution of exploited vulnerabilities.
To learn more, visit us at: https://www.onyphe.io/