We first noted in 2023 how threat actors started to favor exploits on network infrastructure devices, such as routers, firewalls, load balancers, VPN appliances, and others.
Those exploits were 3% of all activity on our Adversary Engagement Environment (AEE) in 2022, 11% in 2023 and 14% in 2024. They are still behind web application exploits, but are catching up fast. The trend is also clear when we look into:
- CISA’s Known Exploited Vulnerabilities (KEV) catalog, where almost 20% of vulnerabilities added in 2025 affect these devices (up from 15% in 2023)
- Zero-day exploits, 14% of which in 2025 affect network appliances (up from 10% in 2023).
State-sponsored actors – especially those from China – and cybercriminals – predominantly ransomware gangs – have been massively exploiting these devices. There are three main reasons behind this trend:
- The lack of support for agents and therefore limited security telemetry coming from those appliances. This means that attackers have higher chances of exploiting them without being detected by EDRs and other security tools. This problem is shared with other unmanaged devices, such as IoT and OT, and is also the reason why there are ransomware gangs now exploiting IP cameras to launch encryption.
- Their privileged network position. Routers, switches, firewalls, and other devices have access to a vast amount of network traffic, so they are perfect points for establishing persistence and siphoning off data in espionage campaigns or for moving laterally to other parts of the network and deploying further malware in cybercriminal campaigns.
- They often have internet-exposed management interfaces. Since in many cases they are perimeter devices, they are often misconfigured with management web interfaces or SSH servers available to anyone on the Internet, facilitating exploitation of known vulnerabilities. A clear example of this was our finding of more than 700,000 DrayTek routers with exposed web interfaces in 2024.
New evidence shows that the third point is becoming less of a condition for exploitation, as attackers move to also exploit internal network appliances, such as network access control solutions.
Here are two recent cases of known exploitation of network infrastructure devices: One on application delivery controllers at the network perimeter (Citrix Bleed 2) and one on the internal network (Cisco ISE). While we still notice a large volume of opportunistic attacks and a consistent history of exploitation on the first case, we don’t see the same in the second case. Translation: Attackers may be using these vulnerabilities in more targeted ways.
Threat actors exploiting internal network devices are a clear sign that a zero trust approach is urgently needed. It’s no longer enough to extend visibility and threat detection to network perimeter devices. You also need to ensure that internal network appliances are monitored the same way and that control actions can be taken on those once signs of malicious activity are detected.
Network Perimeter Exploits – Citrix Bleed 2 and Application Delivery Controllers
Application Delivery Controllers (ADCs) topped our riskiest devices of 2025 list in the IT category. These platforms are used to deliver web applications in a scalable and secure way by providing functions, such as web acceleration, load balancing, web application firewalls, and SSL offloading.
Several vendors offer ADC solutions, including F5 Networks, Citrix Systems, Barracuda Networks, and others. Using data from Forescout’s Device Cloud, we see that Citrix Netscaler is by far the most popular ADC on the networks we monitor with 85%, followed by F5 at around 7%.
There are two reasons why ADCs topped the risk chart – and they are in common with other network infrastructure devices that were also in our riskiest list:
- Internet exposure. ADCs typically sit in data centers between firewalls and internal application servers, so they are often exposed online. Searching on Shodan for Citrix Netscaler devices, we see more than 57,000 with exposed web interfaces: 45% of these are in Europe, 25% in the US, 7% in Australia, and the rest mostly in Asia. Searching for F5 BIG-IP devices, we see over 37,000 with a similar distribution of 32% in Europe, 27% in the US, and 5% in Australia.
- Exploited vulnerabilities. There are currently 14 vulnerabilities affecting Citrix NetScaler on CISA KEV. Three of these vulnerabilities are known to be used by ransomware groups. There are also six vulnerabilities affecting F5 BIG-IP on the same catalog (two of which are known to be exploited for ransomware). Out of these 20 vulnerabilities, two recent ones are very relevant because of their severity, allowing unauthenticated attackers to take control of vulnerable devices. We discuss them below.
CVE-2025-6543 was first exploited as a 0-day with an advisory published on June 25 and included in the CISA KEV catalog on June 30. There is currently no public proof-of-concept (PoC) exploit available. Unfortunately, 0-days in ADCs have become common. Although this is the first in 2025, there were two in 2024 (CVE-2023-6549 and CVE-65482023-), two in 2023 (CVE-2023-3519 and CVE-2023-4966), and one in 2022 (CVE-2022-27518).
CVE-2025-5777 (also known as Citrix Bleed 2) was published on June 17 and had a PoC available on June 30. It was added to CISA KEV on July 10, but we have been observing exploitation attempts on the AEE since July 3. These exploit attempts target two URLs: /p/u/doAuthentication.do and /nf/auth/startwebview.do and they have come from the IP addresses listed in the IoCs section.
Exploiting the Internal Network – Cisco ISE CVEs
Network access control appliances are supposed to be on the internal network, controlling which devices get access to network resources and which don’t. We don’t see those often on search engines like Shodan. That does not mean they don’t have vulnerabilities: there are 147 known issues on Cisco ISE, for instance.
However, even if some of these are critical – eight of them have a CVSSv3 score above 9.0 – and are very recent, including CVE-2025-20124 and CVE-2025-20125 published in February with scores of 9.8 and 9.1, there was no known exploitation so far.
That changed on July 21, when Cisco confirmed the active exploitation of three recent critical vulnerabilities affecting its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC): CVE-2025-20281, CVE-2025-20282 and CVE-2025-20337. All three have a CVSSv3 score of 10 and allow for unauthenticated remote code execution. None of the vulnerabilities is currently in the CISA KEV catalog and we do not see attempts on the AEE, however that may be for an interesting reason: the proof of concept exploit for one of these (CVE-2025-20337) is being sold rather than made available publicly.
The figure below shows that this exploit is currently being sold for ~1,000 USD (the price fluctuates based on the Bitcoin quotation). There were over 250 views on the offered exploit although we cannot see the number of people who actually acquired it.
The fact that Cisco mentioned the vulnerabilities are now being exploited and the fact that threat actors are selling rather than sharing the PoC indicates that there is a real attacker value for those issues, which means that these actors may be starting to look at internal network appliances with the same interest they have developed for the network perimeter.
How Forescout Can Help
Forescout’s 4D Platform™ provides a practical and comprehensive roadmap for building and implementing a Zero Trust architecture across your IT, OT, IoT, and IoMT environments because it can:
- Identify your asset inventory and attack surface in real time (IoC’s related to this threat are listed below).
- Map data flows and system interdependencies
- Correlate user, device, and posture data
- Build and test Zero Trust policies
- Orchestrate, monitor, and automate your response
This aligns with NIST SP 800-207 and SP 1800-35, CISA’s 5 pillars, and DoD’s “7 pillars of Zero Trust”.
All the actions above should be based on threat intelligence. The exploited vulnerabilities listed in this blog and the Indicators of Compromise listed below can be found on the Forescout Research – Vedere Labs threat feed, which is used by our products to complement proactive risk assessment and reactive threat detection.
IoCs
38.54.59[.]9639.187.211[.]19745.134.26[.]22445.134.26[.]3545.135.232[.]20545.83.140[.]15045.93.30[.]24345.93.30[.]4045.93.30[.]9878.128.113[.]3080.209.243[.]22183.222.191[.]10288.214.26[.]3089.39.121[.]4889.7.196[.]7391.191.209[.]23492.38.162[.]11124.77.248[.]219147.45.112[.]219154.38.121[.]214196.251.118[.]160222.128.62[.]127