10 Critical Security Gateway Exploitations

Fortinet FortiOS. SSL-VPN Pre-Auth RCE (Multiple CVEs)

Ongoing (active through 2025)
Over multiple years, Fortinet SSL-VPN repeatedly appeared as an initial-access point in real intrusions, with pre-authentication and authentication-bypass flaws resurfacing across FortiOS versions and exploitation waves rather than as isolated events.

In 2025, attackers exploited authentication bypass and pre-auth weaknesses in FortiOS, including CVE-2025-59718, using crafted SAML traffic to bypass authentication and take control of the gateway itself. Separate incidents in early 2025 described FortiGate SSL-VPN zero-day exploitation that resulted in full device compromise.

• Vector: SSL-VPN web portal (TCP/443)
• Outcome: Remote code execution on the firewall, credential harvesting, VPN session abuse, internal pivoting
• Operational Impact: Showed that Internet-facing SSL-VPN services remain a consistent initial-access path and that gateway compromise often leads to access persisting beyond the initial exploit window.
• Response: Organisations patched, disabled SSL-VPN where not required, enforced MFA, implemented geo-blocking, and monitored VPN authentication activity.

In some Fortinet cases, attacker access remained after patching. Credentials and active VPN sessions obtained during exploitation were reused for legitimate-looking access, allowing attackers to return through normal authentication paths even after vulnerable firmware was patched.

Ivanti Connect Secure Policy Secure

Ongoing (active through 2025)
Attackers compromised Internet-facing Ivanti Connect Secure and Policy Secure gateways by chaining an authentication bypass CVE-2023-46805 with a command injection flaw CVE-2024-21887 . The initial bypass removed any reliance on valid credentials, while the follow-on command injection issue allowed attackers to execute commands directly on the appliance.

• Vector: Ivanti Connect Secure / Policy Secure web portal exposed to the Internet
• Outcome: Remote command execution, credential access, VPN session abuse, internal network pivoting
• Operational Impact: Revealed that patching alone was insufficient to remove attacker access when exploit chains exposed credentials or modified gateway state.
• Response: Organisations patched to fixed releases immediately, restricted external exposure, rotated all credentials and keys, performed post-incident access audits, and in some cases replaced appliances entirely.

What set Ivanti apart was the reliability of the exploit chain. In multiple incidents, access persisted beyond patching due to delayed upgrades, Internet-reachable portals, and credentials harvested during earlier compromise.

This pattern continued into 2025, with a critical vulnerability (CVE-2025-22457) affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways showing that gateway-level exposure in the Ivanti stack persisted beyond the initial compromises.

Cisco IOS XE. Web UI Remote Command Execution

Observed 2023–2024
Attackers repeatedly gained initial access to Internet-exposed Cisco IOS XE devices through the Web UI management interface. CVE-2023-20198 exposed an unauthenticated vulnerability in the IOS XE Web UI that allowed remote attackers to create privileged local accounts on Internet-facing devices. This flaw was frequently chained with CVE-2023-20273, which enabled command execution through a privileged Web UI component.

In some cases, attackers used the access gained via the Web UI to deploy Lua-based webshells and shell-escape tooling, with implants such as BADCANDY enabling full device takeover and persistence.

• Vector: HTTPS/HTTP management interface exposed to the Internet
• Outcome: Privileged exec, ACL manipulation, config and credential exfiltration
• Operational Impact: Changed assumptions about network device trust. Showed that patching and configuration changes alone may not remove attacker access from compromised devices.
• Response: Led to many organisations shutting down the HTTP(S) management interfaces, restricted management to out-of-band or trusted IPs only, and rewrote hardening baselines to default web UI off.

The malicious account survived reboots, configuration changes didn't remove access, the web UI could be disabled but this didn't remove the backdoor. Logs often didn't clearly show how the initial access was granted. This allowed access to persist at the network perimeter.

Palo Alto PAN-OS. GlobalProtect Authentication Bypass

Observed 2024
Attackers gained unauthenticated access to Internet-facing Palo Alto PAN-OS firewalls by abusing the GlobalProtect remote-access service, executing commands directly on the firewall and gaining control of routing, VPN configuration, and security policy.

Access for attackers was enabled by an authentication bypass in GlobalProtect CVE-2024-3400 which allowed compromise of the firewall OS without valid credentials.

• Vector: GlobalProtect portal or gateway exposed to the internet.
• Outcome: Command execution on the firewall, policy manipulation, credential access, internal network exposure.
• Operational Impact: Demonstrated that even premium security vendors face zero-day exposure and reinforced the need to treat remote-access services as high-risk entry points.
• Response: Emergency upgrades, organisations restricted GlobalProtect exposure, hardened management planes, and enforced stricter access controls.

The exploitation occurred entirely through the GlobalProtect service itself. Attackers did not need access to the traditional management interface, this enabled reuse of access across multiple intrusions, with the firewall operating as an entry platform rather than barrier.

F5 BIG-IP. TMUI Authentication Bypass & RCE

Ongoing (active through 2025)
Attackers repeatedly exploited internet-facing F5 Big-IP appliances by abusing the Traffic Management User Interface (TMUI), executing commands and gaining control over application traffic at the perimeter.

Notable examples included the use of this authentication bypass,CVE-2022-1388, and command injection flaw CVE-2023-46747, both of which enabled direct interaction with the BIG-IP control surface without valid credentials.

• Vector: BIG-IP TMUI / management interface exposed to the Internet
• Outcome: Remote code execution, traffic manipulation, credential access, application-layer pivoting.
• Operational Impact: CVE-2022-1388 triggered mass exploitation attempts globally. 2025 F5 breach highlighted supply-chain risk to infrastructure vendors
• Response: Organisations patched immediately, disabled or restricted TMUI exposure to management networks, enforced management-plane isolation, and audited device configurations.

BIG-IP exploitation was particularly risky due to its reach. Authentication bypass removed any dependency on credentials, allowing reliable compromise during active exploitation periods. Delayed patching and exposed management interfaces meant attackers could repeatedly target unpatched systems, with successful access impacting not just the device but every application routed through it.

The 2025 nation-state breach of F5’s internal systems introduced another risk for BIG-IP environments. Access to source code and internal vulnerability information shortened the time between weakness identification and active exploitation, leaving defenders with less time to patch or detect.

Citrix NetScaler ADC/Gateway. Session Hijacking & Code Injection

Ongoing (active through 2025)
Attackers exploited vulnerabilities in Internet-facing NetScaler ADC and Gateway appliances to hijack active authentication sessions. Successful exploitation provided attackers with immediate access to live, authenticated sessions and control of the gateway handling that traffic.

• Vector: External NetScaler Gateway (VPN/ICA proxy)
• Outcome: Session hijacking, credential theft, remote code execution, traffic interception
• Operational Impact: CitrixBleed showed that hijacked authentication can bypass MFA and persist after vulnerability patching.
• Response: Organisations patched, invalidated all active sessions, rotated credentials and keys, validated firmware integrity, and enhanced session behavior monitoring.

NetScaler compromises stood out because attackers did not need to defeat authentication. Hijacked live sessions allowed reuse of already-authenticated sessions, bypassing MFA and login controls entirely. From there, code injection enabled persistence directly on the appliance.

CitrixBleed (CVE-2023-4966) was an example of this failure mode, with CitrixBleed 2 in 2025 showing that session handling weaknesses in Citrix NetScaler persisted beyond the initial disclosure.

SonicWall SMA. Pre-Auth Stack Buffer Overflow

Observed 2021–2022
Attackers repeatedly compromised Internet-facing SonicWall SMA appliances through pre-authentication flaws, bypassing user authentication, endpoints, and email controls to gain direct execution on the gateway itself.

A pre-auth remote code execution vulnerability in SMA (CVE-2021-20038), allowed attackers to execute code on the appliance before any login or MFA controls were applied.

• Vector: SonicWall SMA web-based access portal exposed to the Internet. SSL-VPN portal (TCP/443)
• Outcome: Remote code execution, credential theft, VPN session abuse, internal network access.
• Operational Impact: Compromised critical remote-work infrastructure and demonstrated business continuity risk when single VPN gateway fails.
• Response: Applied vendor patches, enabled client certificate authentication, restricted portal exposure and in some ransomware cases rebuilt or replaced appliances.

SMA compromise frequently caused immediate business disruption. Organisations were forced to take VPN access offline, rebuild or replace appliances, and reset credentials across the environment. In ransomware cases, SMA exploitation was often the initial access, with the real damage coming from losing secure remote access while the incident was being contained.

Check Point Security Gateways

Observed 2024
Attackers exploited a pre-authentication file disclosure flaw (CVE-2024-24919) in Internet-facing Check Point security gateways to retrieve sensitive files from the device. Exposed configuration and credential material allowed attackers to return using legitimate access paths rather than re-exploiting the flaw.

• Vector: Remote access / VPN services exposed to the Internet
• Outcome: Credential disclosure, gateway access, internal network visibility
• Operational Impact: Demonstrated that file disclosure alone can enable full compromise when credentials are exposed.
• Response: Organisations patched immediately, rotated all exposed credentials, restricted management and VPN access, and audited gateway configurations

Compromise did not rely on weak passwords or MFA failures. Once credentials and configuration data were exposed, attackers could authenticate normally. In practice, environments that applied patches without rotating secrets or auditing access often remained exposed long after the initial vulnerability was addressed.

Cisco ASA / FTD. WebVPN Session Hijacking

Observed 2020–2024
Internet-facing Cisco ASA and Firepower Threat Defense gateways were repeatedly compromised by exploiting information disclosure flaws in WebVPN and AnyConnect services.

Vulnerabilities such as CVE-2020-3259, enabled session hijacking rather than direct code execution, allowing attackers to bypass MFA and reuse already-authenticated access.

• Vector: Web VPN / AnyConnect services exposed to the Internet
• Outcome: Session token theft, credential disclosure, firewall compromise, internal pivoting
• Operational Impact: Showed that long-lived perimeter devices remain attractive targets over many years, and that patched environments remain vulnerable if sessions aren't invalidated.
• Response: Patched across multiple versions, restricted management-plane exposure, rotated credentials after each disclosure, and audited VPN access.

What kept ASA and FTD attractive to attackers was longevity. These gateways were often deployed for years, migrated slowly, and left Internet-reachable across upgrades. Even after individual vulnerabilities were fixed, exposed services and reused credentials meant attackers could return using normal access paths, making ASA and FTD a repeat entry point rather than a one-time failure.

Zyxel Firewalls. Pre-Auth Command Injection

Observed 2022–2023
Attackers exploited pre-authentication command injection flaws CVE-2022-30525 in Internet-facing Zyxel firewall management components to execute system commands without valid credentials. Successful exploitation provided immediate control of the gateway.

• Vector: Web management interface
• Outcome: RCE, botnet agents and backdoors deployed on the OS
• Operational Impact: Highlighted how widespread exposure of management interfaces in SMB environments can lead to large-scale compromise.
• Response: Organisations patched where possible, disabled WAN management entirely, replaced EOL hardware, and monitored outbound connections from the firewall itself.

Zyxel compromises stood out for their scale. Management interfaces were frequently left exposed across large SMB environments, and pre-auth command injection required no credentials and produced minimal logging on the device. Delayed patching, end-of-life hardware, and limited monitoring meant many compromised devices remained active and were re-used for botnet activity and further attacks long after fixes were available.

What Reduces Gateway Risk

These measures won’t prevent every gateway vulnerability, but they can reduce how long attackers are able to rely on compromised gateways after the initial exploit. Removing access quickly is often the difference between a contained incident and full network compromise.

Conclusion

Gateways fail like everything else. The difference is what happens after. Once attackers control the gateway, everything behind it treats them as legitimate. In the incidents above, the exploit itself was rarely the end of the story. Credential reuse, session hijacking, and configuration exposure turned short-lived vulnerabilities into long-term access paths.