Thumbnail above. All Framer fields and full blog content ready to copy below.

SLUG
your-firewall-was-the-spy

SEO TITLE
Your Firewall Was the Spy | nDataStor

SEO DESCRIPTION
What happens when the firewall protecting your network is the device sending your data out? nDataStor breaks down the Ivanti, Fortinet, and SonicWall vulnerabilities that turned trusted security hardware into attack vectors, and what every business needs to do right now.

SUBTITLE
When your security device becomes the threat, everything you trusted was watching you. Here is what the recent wave of firewall exploits means for your business.

AUTHOR
nDataStor Security Team

CATEGORY
Cybersecurity

BLOG CONTENT — Copy and paste into Framer's Rich Text field:

There is a particular kind of dread that comes with this realization: the device you bought to protect your network, the one sitting at the edge of your environment inspecting every packet that crosses your perimeter, was the device an attacker used to get inside.

Not through your firewall. Through your firewall.

Over the past several years, some of the most serious and widespread cyberattacks targeting businesses and government agencies did not exploit a careless employee or a misconfigured cloud bucket. They exploited the firewall itself. Ivanti, Fortinet, SonicWall, Palo Alto Networks, and Cisco have all issued emergency advisories for critical vulnerabilities in their network security products, vulnerabilities that were not theoretical but actively exploited in the wild before patches were available, and in some cases, exploited by nation-state actors who had been inside victim networks for months before anyone noticed.

This is not a reason to stop using firewalls. It is a reason to understand how they fail, what happens when they do, and what a security posture looks like that doesn't assume any single device is inherently trustworthy.

How a Firewall Becomes a Weapon Against You

A firewall is, at its core, a computer running software. It has an operating system, applications, memory, network interfaces, and in almost every enterprise-grade product, a web-based management interface accessible over the network. All of those components can contain vulnerabilities, exactly like any other software.

What makes firewall vulnerabilities particularly dangerous is the position these devices occupy in the network. A firewall sits at the boundary between your internal environment and the outside world. It has visibility into all traffic crossing that boundary. In many configurations, it has direct access to internal network segments, authentication systems, and management infrastructure. An attacker who compromises a firewall does not need to work their way through your network from the outside. They are already at the most privileged position possible, with credentials, traffic visibility, and access that most internal systems never achieve.

The attack pattern for firewall exploitation typically looks like this. A vulnerability is discovered in the firewall's management interface, its VPN endpoint, its SSL inspection engine, or another component exposed to external connections. The vulnerability allows an attacker to send a specially crafted request that causes the device to execute arbitrary code, bypass authentication, or expose configuration data including credentials. The attacker gains a foothold on the device itself, from which they can access internal networks, intercept traffic, steal credentials from VPN sessions, or establish persistent access that survives reboots and even firmware updates if not properly remediated.

The most sophisticated attacks do all of this silently, over months, while the firewall continues appearing to function normally from every dashboard the security team monitors.

The Incidents That Changed How Security Professionals Think About Firewalls

Several major incidents in recent years have made the vulnerability of security hardware impossible to ignore.

The Ivanti Connect Secure Exploits

Ivanti's Connect Secure VPN appliances became one of the most targeted products in the security industry after a series of critical vulnerabilities were disclosed beginning in early 2024. The vulnerabilities, including authentication bypasses and command injection flaws, allowed attackers to gain unauthenticated remote code execution on the devices, meaning they could take complete control without needing any valid credentials at all.

What made the Ivanti situation particularly alarming was the scale and sophistication of exploitation. Within days of disclosure, thousands of vulnerable devices were being actively targeted. The Cybersecurity and Infrastructure Security Agency (CISA) issued emergency directives requiring federal agencies to disconnect affected devices. And forensic investigation revealed that nation-state actors, including groups attributed to China, had been exploiting some of these vulnerabilities months before they were publicly known, running zero-day attacks against high-value targets while the rest of the industry had no idea the vulnerability existed.

Many organizations that believed their Ivanti devices were secure, because they had not received any alerts and the devices appeared to be functioning normally, discovered during incident response that attackers had been inside their networks for weeks or months, harvesting credentials, mapping internal systems, and maintaining persistent access through the appliance they trusted to keep threats out.

The Fortinet FortiOS Vulnerabilities

Fortinet's FortiGate firewalls and FortiOS operating system have been the subject of multiple critical vulnerability disclosures over recent years. One of the most significant was CVE-2022-40684, an authentication bypass vulnerability that allowed attackers to perform operations on the management interface without valid credentials. Exploitation was observed in the wild within days of disclosure, with attackers using the vulnerability to add malicious administrative accounts that persisted even after patching, because the patch addressed the entry point but not the accounts that had already been created through it.

Fortinet subsequently disclosed additional vulnerabilities including a heap buffer overflow in FortiOS SSL-VPN that was exploited as a zero-day, and a path traversal vulnerability that allowed unauthenticated attackers to read system files including configuration data containing credentials. The pattern across these incidents is consistent: attackers target the device specifically because of its privileged network position, and they act quickly once a vulnerability is known or discovered.

The SonicWall Campaign

SonicWall appliances, widely used by small and mid-sized businesses as an accessible enterprise-grade firewall option, were targeted in a coordinated campaign that exploited multiple vulnerabilities in the company's SMA (Secure Mobile Access) product line. The campaign was attributed to a sophisticated threat actor and specifically targeted managed service providers, using access to MSP infrastructure as a pivot point to reach downstream clients. Thousands of end customer environments were potentially exposed through a single vulnerable appliance operated by their IT service provider.

This incident highlighted a risk that is particularly relevant for businesses relying on managed IT services: the security of your environment is not just a function of the controls you have in place directly. It is also a function of the security posture of every vendor, partner, and service provider with privileged access to your systems.

Palo Alto PAN-OS Zero-Days

Palo Alto Networks, a company whose products sit at the top tier of the enterprise firewall market and whose security research team is one of the most respected in the industry, disclosed critical zero-day vulnerabilities in its PAN-OS operating system in 2024. The vulnerabilities allowed unauthenticated remote code execution through the management interface, and Palo Alto confirmed they were being actively exploited before patches were available.

The significance of this disclosure extends beyond the specific vulnerability. Palo Alto is widely regarded as one of the most security-conscious vendors in the space. If their products can contain critical zero-days being actively exploited by sophisticated threat actors, the lesson is not that Palo Alto products are insecure. The lesson is that no security hardware should be trusted unconditionally, regardless of vendor reputation or product tier.

Why Patches Alone Are Not Enough

The instinctive response to firewall vulnerability disclosures is to patch immediately, and patching quickly is absolutely necessary. But treating patching as the complete solution misses critical aspects of what makes these incidents damaging.

The zero-day window is real and significant. Many of the most damaging firewall exploits were used by sophisticated attackers before the vulnerability was publicly known, sometimes for months. During that window, no patch exists. Organizations cannot patch against a vulnerability they don't know about. The only protection during a zero-day window is detection, the ability to identify unusual behavior on and around the device that suggests it has been compromised, even without knowing the specific mechanism of compromise.

Compromise may survive patching. When an attacker has successfully exploited a firewall vulnerability and established persistence, applying the firmware patch closes the door they used to get in but does not necessarily remove what they left behind. Persistent backdoors, rogue administrative accounts, modified configuration, and implanted malware on the device can survive a firmware update if remediation is not handled correctly. Proper incident response after a known exploitation event requires more than patching. It requires forensic investigation of the device, factory reset in many cases, and validation that the post-remediation environment is clean.

Credentials harvested before patching remain compromised. If an attacker had access to your firewall during a period when it was vulnerable, any credentials that traversed the device during that period, VPN credentials, authentication tokens, passwords in configuration files, must be treated as potentially compromised. Patching the firewall does not invalidate the credentials that were already harvested. Those credentials need to be rotated regardless.

Detection capability determines how long the attacker stays. Organizations that discovered they had been compromised through a firewall vulnerability quickly typically did so because they had monitoring in place that detected anomalous activity on the device or in network traffic. Organizations that discovered it late, or that only discovered it during a retrospective audit after a public disclosure, typically lacked that monitoring capability. The gap between when an attacker gains access and when they are detected is the period during which they accomplish their objectives. Shortening that gap is as important as preventing the initial compromise.

What Nation-State Actors Do With Firewall Access

Understanding what sophisticated attackers actually do when they successfully compromise a firewall helps clarify why these incidents are so severe and why detection matters so much.

Intelligence gathering through traffic inspection is one of the most valuable capabilities firewall access provides. A compromised firewall can be configured to capture and exfiltrate network traffic, giving the attacker visibility into communications that are supposed to be internal and confidential. Email, file transfers, database queries, authentication traffic, management communications between IT systems, all of this crosses the firewall and all of it becomes accessible to an attacker who controls the device.

Credential harvesting from VPN sessions is particularly damaging. VPN appliances see authentication requests constantly, users logging in with their username and password or their certificate. A compromised VPN appliance can log these credentials as they are used, building a growing list of valid usernames and passwords that the attacker can use to log in directly to other systems, without going through the compromised device at all.

Lateral movement staging uses the firewall's internal network access to reach systems that would otherwise be inaccessible from the outside. Once an attacker is on the firewall, they may have direct network connectivity to management interfaces, internal servers, Active Directory infrastructure, and cloud management consoles. The firewall that was supposed to prevent access to these systems becomes the platform from which they are accessed.

Persistence establishment ensures that the attacker retains access even if the initial vulnerability is patched. This may take the form of rogue administrative accounts created in the firewall's own management system, persistent malware implanted in the device's storage, modifications to the device's routing or forwarding configuration, or the use of harvested credentials to establish footholds in other systems that don't depend on continued access to the firewall at all.

Long-term intelligence collection is the objective of the most sophisticated campaigns. Rather than taking immediate destructive action, which would alert the victim and end the access, patient attackers use their firewall foothold to quietly observe, collect, and map for as long as they can maintain access undetected. The value of months of undetected access to an organization's network traffic and internal systems is substantial, particularly for intelligence purposes.

What This Means for Small and Mid-Sized Businesses

It is tempting to read about nation-state actors and zero-day exploits and conclude that these threats are relevant only to government agencies, defense contractors, and Fortune 500 companies. That conclusion is wrong, and it is dangerous.

Small and mid-sized businesses are targeted for firewall exploits for several reasons that have nothing to do with the sophistication of the attacker or the geopolitical value of the target. Automated scanning tools identify vulnerable firewall versions at scale, reaching thousands of devices within hours of a vulnerability disclosure. Attackers looking for ransomware targets or financial fraud opportunities don't discriminate based on company size. And MSPs and IT service providers serving small businesses are specifically targeted because a single compromised provider can provide access to dozens or hundreds of client environments.

The SonicWall campaign described earlier is a direct example of this. The attackers did not specifically choose each victim. They targeted a product used widely by small business IT providers, and the victims were the customers of those providers.

The practical implication is that small and mid-sized businesses need to take firewall security as seriously as enterprise organizations do, even if the specific threat actor profile differs. The vulnerability is the same. The exploitation is the same. The damage is the same.

What a Security-Aware Approach to Firewall Management Looks Like

Taking firewall security seriously does not mean abandoning firewalls. It means managing them with the same rigor you would apply to any other critical system in your environment, and building the monitoring capability to detect when they have been compromised.

Restrict management interface access aggressively. The management interface of your firewall should never be accessible from the public internet. Every major firewall vendor recommends this, and yet publicly exposed management interfaces are consistently among the most common findings in security assessments. If remote management is operationally necessary, it should be accessible only through a separate out-of-band management network or through a dedicated, tightly controlled administrative access path, not through the same interface exposed to internet traffic.

Maintain a disciplined patch and firmware update process. Firewall vendors release security updates regularly, and critical patches should be applied on an accelerated timeline, days rather than the standard monthly cycle many organizations use for other systems. Subscribe to vendor security advisories so you are notified immediately when critical vulnerabilities are disclosed. The window between disclosure and exploitation for high-severity firewall vulnerabilities is measured in days, not weeks.

Monitor firewall logs and behavior actively. Firewall logs are voluminous and monitoring them effectively requires either significant analyst capacity or automated tooling. But the logs contain exactly the signals that indicate compromise. Unusual administrative logins, new accounts created without authorization, unexpected configuration changes, outbound connections to unusual destinations, and traffic patterns that don't match normal baseline behavior are all detectable if someone is looking. Sending firewall logs to a SIEM and building detection rules around these patterns is a foundational element of meaningful firewall security.

Treat your firewall as a system that can be compromised, not a trust boundary. Zero-trust architecture principles apply here. The fact that traffic has passed through your firewall does not mean that traffic is legitimate or that the system sending it is trustworthy. Internal systems should authenticate and authorize requests independently, not rely on network location as a proxy for trust. If your firewall is compromised, the damage is contained more effectively when internal systems don't automatically trust anything that came from the internal network.

Have an incident response plan specific to firewall compromise. Knowing in advance what you will do if your firewall is compromised, what systems you will isolate, what credentials you will rotate, how you will continue operations during remediation, and who you will call for forensic support, dramatically reduces the chaos and the damage when an incident occurs. Organizations that are figuring this out in the middle of an active incident always take longer and make more mistakes than organizations with a tested plan.

Inventory and audit all network security devices. Many organizations, particularly those that have grown organically or gone through acquisitions, have network security devices they don't fully account for. Legacy firewalls running old firmware on network segments that haven't been reviewed in years. VPN appliances deployed for a specific project and never decommissioned. Remote access hardware installed by a vendor for a support relationship that no longer exists. Every one of these devices represents an attack surface that needs to be included in vulnerability management and monitoring programs.

The Broader Lesson: Security Devices Are Not Immune

The firewall incidents of recent years carry a lesson that extends beyond firewall security specifically. Every security device in your environment, your VPN appliance, your email security gateway, your endpoint detection platform, your identity management system, is itself a computer running software. It can contain vulnerabilities. It can be exploited. And when it is exploited, the attacker inherits whatever privileged access that device had.

This does not mean security devices are useless. It means the security model cannot treat any device or any layer of the stack as unconditionally trustworthy. Defense in depth, the principle that multiple overlapping security controls provide better protection than any single control relied upon absolutely, applies to security infrastructure itself. Monitoring your security tools for signs of compromise is as important as monitoring the systems they protect.

It also means that vendor relationships matter in ways that go beyond product features. How quickly does your firewall vendor release patches? How clearly do they communicate about vulnerabilities? Do they provide detection guidance and indicators of compromise along with their patches? Do they have a track record of handling security disclosures responsibly? These questions matter as much as throughput specifications and management console aesthetics when you are choosing what security hardware to trust with your perimeter.

How nDataStor Helps Businesses Manage Firewall Risk

nDataStor works with businesses across the Bay Area, North Bay, and Sacramento to manage network security infrastructure in a way that accounts for the reality that firewalls themselves are attack targets.

That work includes firewall configuration review, ensuring that management interfaces are properly restricted, that logging is correctly configured and being collected, and that firmware is current. It includes integration of firewall logs into continuous monitoring so that anomalous behavior on the device is detected and investigated, not just stored. And it includes incident response capability so that if a firewall is identified as potentially compromised, the response is organized, rapid, and complete.

We also help businesses think through their network architecture with zero-trust principles in mind, reducing the blast radius of any single device compromise by ensuring that internal systems maintain their own authentication and authorization controls rather than relying on the network perimeter as the primary trust mechanism.

If you haven't recently had your firewall configuration and firmware reviewed, or if you're not currently collecting and monitoring your firewall logs, a complimentary security assessment from nDataStor is a straightforward place to understand where you stand. We'll give you an honest picture of what your current posture looks like, and what it would take to address the gaps.

The Bottom Line

Your firewall is not a magic box that makes your network safe. It is a computer running software, positioned at the most sensitive point in your network architecture, and it is a target.

The incidents involving Ivanti, Fortinet, SonicWall, and Palo Alto are not aberrations. They are examples of a consistent reality: security devices contain vulnerabilities, sophisticated attackers know this and specifically look for them, and a compromised firewall provides a level of access that makes almost every other security control in your environment less effective.

The response is not panic and it is not abandonment of network security hardware. It is a mature, clear-eyed approach to managing these devices, restricting their exposure, keeping them patched, monitoring their behavior, and building a security architecture that doesn't treat any single device as an unconditional trust anchor.

The businesses that discovered firewall compromises quickly were the ones monitoring for the signs. The ones that went months without knowing were the ones that assumed the device was working because no one had told them otherwise.

In security, assumption is not a control. Verification is.