The front door to most enterprises is no longer the inbox. It is the firewall, the VPN concentrator, and the router sitting in a rack that nobody on the security team has logged into in three years. Edge device exploitation jumped from 3% to 22% of all vulnerability exploitation breaches in a single year, an eightfold increase documented in the Verizon 2025 DBIR, and Recorded Future’s H1 2025 report showed that 53% of exploitation activity was state-sponsored, with edge appliances accounting for 17% of all actively exploited CVEs. That is not a temporary spike. It is a structural shift in how foreign intelligence services break into networks, and the defenders’ playbook has not kept up.
This piece walks through why state-sponsored actors moved their initial access work from phishing inboxes to network appliances, who is doing it, which devices and CVEs keep showing up in advisories, and what regulators and defenders are now doing about it. The headline is uncomplicated: the perimeter became the easiest soft target on the network because the security industry spent a decade hardening everything else.
Why Edge Devices Became the Cheapest Way In
For roughly two decades, phishing — tricking a user into running attacker-controlled code or surrendering credentials — was the default initial access vector for nearly every threat actor, state-aligned or otherwise. That changed because the economics changed. Endpoint detection and response (EDR), an agent-based class of security tooling that watches process behavior on workstations and servers, matured into a commodity. Multifactor authentication became default for cloud identity. Application allow-listing closed the easy paths. Phishing still works, but it works less, and what it produces is increasingly noisy on the wire.
Edge devices sit on the other side of that maturity curve. Edge devices are often targeted and compromised because they don’t support Endpoint Detection and Response (EDR) solutions, allowing threat actors to gain initial access to the targets’ internal enterprise networks. In many cases, such devices also lack regular firmware upgrades and strong authentication, come with security vulnerabilities and insecure configurations by default, and provide limited logging. They are blind spots by design — you cannot install an EDR agent on a FortiGate or a NetScaler, the vendor logging is thin, and forensic acquisition usually means coordinating with the manufacturer.
The economics on the offensive side are equally lopsided. Edge device exploits cost US$30,000 – US$100,000, which is one-third to one-tenth the cost of browser or mobile exploits while enabling broad network access, credential harvesting, and traffic interception. Meanwhile, it takes defenders an average of 30 days to patch, while attackers weaponize patches within hours. A mid-tier APT can buy or develop an edge-device exploit, get a month of useful runway against most enterprises, and pivot directly into the network without ever touching a workstation that has an EDR agent on it.
The consequence is that an investment that used to buy a single user account through phishing now buys network-level access to traffic, credentials, and lateral movement paths. That is a different product, sold at a discount.
The Threat Actors Who Made This Their Specialty
Most of the public reporting on edge-device intrusion in the last 24 months traces back to a small set of named clusters. Their tradecraft differs, but the access pattern — exploit a perimeter appliance, harvest credentials and traffic, pivot inward — is shared.
Salt Typhoon, the China-linked group also tracked as Earth Estries, GhostEmperor, Operator Panda, and UNC2286, runs the largest documented edge-device campaign. Earth Estries (Salt Typhoon) conducts the largest documented edge device campaign, breaching over 600 organizations across 80 countries since 2019. The group focuses heavily on telecommunications providers, including multiple U.S. carriers, in October 2024. Their initial access shopping list reads like a pile of vendor advisories. Salt Typhoon, which overlaps with activity tracked as GhostEmperor, Operator Panda, RedMike, and UNC5807, has been observed obtaining initial access through the exploitation of exposed network edge devices from Cisco (CVE-2018-0171, CVE-2023-20198, and CVE-2023-20273), Ivanti (CVE-2023-46805 and CVE-2024-21887), and Palo Alto Networks (CVE-2024-3400). Once inside, they live on the device. Salt Typhoon has been observed enabling the sshd_operns service on Cisco IOS XR devices to create a local user and grant it sudo privileges to obtain root on the host OS after logging in via TCP/57722. The U.S. Treasury sanctioned Sichuan Juxinhe Network Technology Co. Ltd. in January 2025 for its role in supporting the campaign.
Volt Typhoon is the other half of the China-aligned coin and pursues a different mission. Volt Typhoon pursues a distinct mission of prepositioning for infrastructure disruption rather than traditional espionage. The group targets US critical infrastructure by compromising SOHO routers as proxy infrastructure, using living-off-the-land (LOTL) techniques exclusively. The US intelligence community assesses this as preparation for disruptive operations in a Taiwan contingency. The U.S. Intelligence Community has assessed that Volt Typhoon’s targeting of critical infrastructure carries limited espionage value and is instead positioning for disruption during a future conflict.
UNC5221, also China-linked, has specialized in rapid weaponization of Ivanti vulnerabilities, particularly the chain involving CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure. Their value to the broader ecosystem is speed — they tend to be in the wild before public disclosure cycles fully complete.
Sandworm (APT44, Seashell Blizzard) represents the Russian GRU side of the same playbook. Amazon’s December 2025 disclosure attributed a years-long campaign to a Sandworm subcluster that As we conclude 2025, Amazon Threat Intelligence is sharing insights about a years-long Russian state-sponsored campaign that represents a significant evolution in critical infrastructure targeting: a tactical pivot where what appear to be misconfigured customer network edge devices became the primary initial access vector, while vulnerability exploitation activity declined. The campaign shifted from CVE exploitation to hunting misconfigured devices with exposed management interfaces — a quieter, cheaper variant of the same access strategy. The campaign flow begins with the compromise of a customer network edge device hosted on AWS. The attackers then leverage the native packet capture capability of the device to harvest credentials from intercepted traffic. These credentials are subsequently replayed against the victim organizations’ online services and infrastructure.
The pattern across these groups is what Trend Micro calls a coordinated ecosystem. Multiple threat actors (e.g., UNC5221, Earth Estries aka Salt Typhoon, Volt Typhoon) share tooling, divide targets, and probably benefit from state-directed vulnerability pipelines. Specialization — one cluster delivers exploits, another collects intelligence, a third pre-positions for disruption — looks like operational division of labor rather than independent campaigns that happen to share infrastructure.
The Devices and CVEs That Keep Appearing
The vendor mix in advisories has been consistent across 2024 and 2025. Cisco IOS XR and IOS XE on backbone and edge routers, Ivanti Connect Secure VPN, Palo Alto Networks PAN-OS GlobalProtect, Fortinet FortiGate, Sophos firewalls, Citrix NetScaler, SonicWall, and a long tail of SOHO routers from ASUS, NETGEAR, D-Link, TP-Link, and Zyxel.
The CVEs below are the ones that defenders should expect to see referenced repeatedly in incident reports. They are not exhaustive, and the joint advisories are explicit on that point — these vulnerabilities are not “exhaustive” and the threat actors may also go after other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls, among others for initial access.
The pattern in this list matters more than any single CVE. Cisco IOS XE and Ivanti Connect Secure show up because they sit at the network’s mouth and historically logged poorly. Citrix NetScaler shows up because the appliance is internet-exposed by design. Veeam shows up because backup credentials let an attacker move laterally to identity infrastructure. None of these are obscure products. They are the standard equipment of most large enterprises.
What Attackers Actually Do Once They Are On the Device
Initial access is not the goal. It is the on-ramp. The post-exploitation tradecraft on edge devices is meaningfully different from what defenders are used to seeing on workstations.
The first move is usually credential harvesting through traffic interception. An edge device is a privileged man-in-the-middle by definition — it sees authentication requests, RADIUS traffic, sometimes plaintext SNMP, and occasionally cleartext fragments of LDAP or Kerberos. Sandworm’s recent campaign weaponized this directly. Beyond direct victim infrastructure compromise, we observed systematic credential replay attacks against victim organizations’ online services. In observed instances, the actor compromised customer network edge devices hosted on AWS, then subsequently attempted authentication using credentials associated with the victim organization’s domain against their online services.
The second is establishing persistent access through implants that survive reboots and, in some cases, firmware updates. Researchers have documented UEFI implants and firmware backdoors in this category — these are not hobbyist tools. The Salt Typhoon-attributed GhostSpider and SNAPPYBEE (also tracked as Deed RAT) are among the families repeatedly observed on compromised devices.
The third is living-off-the-land (LOTL) — using built-in administrative tools and capabilities rather than custom malware. On a router, this might mean enabling a packet-capture utility that ships with the OS, exporting it via the device’s own SCP client, and calling no external binaries. There is nothing for a signature-based detection to match. The CISA-attributed Volt Typhoon advisories make this explicit: the group uses LOTL exclusively, which is part of why it took years to surface.
Mapped against MITRE ATT&CK, the relevant techniques are T1190 (Exploit Public-Facing Application) for initial access, T1133 (External Remote Services) for the persistence channel, T1556 (Modify Authentication Process) and T1040 (Network Sniffing) for credential collection, and T1090 (Proxy) for using the compromised device as relay infrastructure for further operations.
The Regulatory Response: BOD 26-02 and the Five Eyes Guidance
Government response in 2025 and early 2026 has finally caught up to the threat — at least on paper. Two pieces matter.
In February 2025, the Five Eyes — Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), United States’ Cybersecurity and Infrastructure Security Agency (CISA), United States National Security Agency (NSA), Canadian Centre for Cyber Security (CCCS), National Cyber Security Centre UK (NCSC-UK), National Cyber Security Centre New Zealand (NCSC-NZ), joined by Japan, the Czech Republic, the Netherlands, and South Korea — published joint guidance covering both executive and practitioner audiences on edge device security. The practitioner document, Mitigation strategies for edge devices, focuses on inventory, exposure reduction, centralized logging, and forensic readiness. The vendor-facing companion, Security Considerations for Edge Devices, pushes manufacturers toward secure-by-default configurations and improved forensic visibility.
Then in February 2026, CISA went further. CISA issued Binding Operational Directive 26-02 on February 5, 2026, requiring Federal Civilian Executive Branch (FCEB) agencies to eliminate unsupported edge devices from their networks. These end-of-support (EOS) devices no longer receive vendor security updates and are actively exploited by nation-state threat actors as entry points into federal networks. The directive applies only to civilian federal agencies, but the precedent and implicit expectation reach much further.
The timeline is aggressive on paper. By May 5, 2026, inventory and report all EOS devices to CISA using the agency’s template. Within one year, remove all EOS edge devices and replace them with vendor-supported technology that receives security updates. Within two years, establish a lifecycle management process to continuously monitor and maintain edge device inventories. Whether agencies will actually meet those dates is contested. Practitioners interviewed about the directive expect partial compliance and a stack of waiver requests, particularly from agencies handling classified systems whose hardware refresh cycles run longer than the directive allows.
The political signal matters even if the compliance picture is messy. CISA is treating unsupported edge equipment as a structural national security risk, not an asset-management nuisance. The agency’s accompanying joint fact sheet with the FBI and the U.K.’s NCSC strongly encourages private-sector organizations to follow the same guidance. Insurers and regulators in adjacent sectors will follow.
What Defenders Should Actually Do
The defensive playbook is unromantic, and most of it is already in published guidance. The reason organizations are still being breached through these devices is not that the recommendations are unknown. It is that the recommendations require coordinated work across teams that do not normally talk to each other — networking, security, IT operations, and procurement — and that work has not happened.
Two underrated points round out the list. First, assume credential compromise for any device confirmed or suspected to have been touched. Rotate everything that crossed the wire — service accounts, API keys, federation secrets, certificates — and audit recent authentication against external services for replay patterns. The Sandworm subcluster’s playbook makes this non-optional.
Second, stop treating edge devices as “the network team’s problem.” Most of the gap is organizational. The networking team owns the devices, the security team owns the threat intelligence, and patching requires both plus a maintenance window from operations. Organizations that close that triangle early — by giving the security team co-ownership of edge device telemetry and patch cadence — are the ones that contain incidents in days rather than months.
Frequently Asked Questions
Are SMBs really at risk from state-sponsored actors, or is this an enterprise problem?
Both. Volt Typhoon’s documented use of compromised SOHO routers as proxy infrastructure means small organizations and home offices are not the targets of the campaign but become part of the attack chain. The joint advisories on this point are explicit: Devices owned by entities that do not align with the actors’ core targets of interest still present opportunities for use in attack pathways into targets of interest.
If we patch within the vendor advisory window, are we safe?
Patching is necessary and not sufficient. Several of the campaigns documented above involved devices that had been compromised before a patch was issued, and the implants survived patching because the patch did not remove attacker-installed accounts, modified configurations, or persistence mechanisms. After any confirmed exploitation of a vulnerable device, the device needs to be reimaged or replaced — patch alone does not evict an attacker who already has root.
How does this change with AI-assisted vulnerability discovery?
It accelerates. Financially motivated actors are adopting these techniques, too, with new vendors being targeted and threat actors increasingly using AI tools to discover vulnerabilities at scale and to automate exploit development. The expectation among most threat-intel shops is that the gap between disclosure and weaponization continues to shrink, which makes the 30-day defender patch average untenable.
What is the single highest-value action for an organization that hasn’t started?
Get an externally validated inventory of every internet-facing device with a management plane, cross-reference against the CISA KEV catalog and vendor end-of-support dates, and prioritize the intersection. Most organizations discover devices in this exercise that nobody had on a list. Those are the ones being exploited.
The Stance
The shift to edge-device initial access is neither novel nor finished. State-aligned actors found a class of asset that the security industry had collectively under-resourced, and they have spent four years building tradecraft around it. The CVEs will keep coming, the vendor advisories will keep arriving on Tuesdays, and the next group of compromised telecoms or utilities will surface in a joint advisory sometime in the next six months.
The defenders who handle this well treat edge devices as crown-jewel-adjacent infrastructure rather than networking plumbing. That means an inventory that is actually current, a patching cadence measured in hours for KEV entries, telemetry from the device’s own logs into a SIEM that someone reads, and a willingness to decommission equipment that the vendor has stopped supporting. None of this is novel. The reason it remains the central problem is that doing it requires sustained investment in unglamorous work, and the alternative — hoping no one notices the Ivanti Connect Secure appliance running 18-month-old firmware in a regional office — is no longer a defensible position.
