IOS XE web UI privilege escalation — mass exploitation
Attackers created privilege-15 accounts on tens of thousands of routers and switches via the exposed web UI, then dropped implants. One of the largest network-device compromises on record.
ArcaneDoor — espionage campaign against perimeter firewalls
State-sponsored actors chained CVE-2024-20353 and CVE-2024-20359 to implant "Line Runner" and "Line Dancer" on ASA devices, targeting government networks worldwide.
GlobalProtect command injection, exploited in the wild
Unauthenticated root-level command injection in PAN-OS GlobalProtect gateways (Operation MidnightEclipse), exploited before a patch existed.
FortiOS SSL-VPN out-of-bounds write
Remote code execution in FortiGate SSL-VPN, added to CISA's KEV catalog within days. SSL-VPN endpoints remain among the most attacked surfaces in enterprise networks.
Junos J-Web PHP environment manipulation
Unauthenticated remote code execution on EX switches and SRX firewalls via the J-Web interface, chained in active exploitation shortly after disclosure.
Volt Typhoon — living off the land on network gear
PRC state actor pre-positioning in critical infrastructure, moving through SOHO routers and enterprise network devices using built-in tools and valid credentials — almost no malware to detect.
Salt Typhoon — telecom intrusions via core network devices
Long-dwell intrusions at major telecom providers through carrier routing infrastructure, prompting joint guidance on hardening communications networks.
Default and weak SNMP community strings
Two decades old and still everywhere: public/private community strings and SNMPv2c on management interfaces hand attackers topology, ARP tables and sometimes write access.