The Firewall Crisis: A CISO's Guide to Understanding Why America's Network Perimeter Is Collapsing

Executive Summary

The network perimeter is dead—and firewall vendors killed it.

Between 2021 and 2025, the four dominant enterprise firewall vendors—SonicWall, Fortinet, Cisco, and Check Point—have collectively contributed 50+ vulnerabilities to CISA’s Known Exploited Vulnerabilities (KEV) catalog. These aren’t theoretical risks. They’re actively exploited attack vectors that have:

• Enabled $500+ million in verified ransomware payments
• Compromised 259 million Americans’ healthcare data
• Destroyed a 158-year-old logistics company (730 jobs lost)
• Given nation-state actors persistent access to federal networks
• Created the conditions for the most severe cybersecurity crisis in modern history [

The CISO’s Nightmare Trifecta: When Data Centers, Vendor Risk Management, and Insider Threats Collide

Executive Summary Picture this: Your marketing team buys a SaaS tool. That tool runs on a third-party data center. The vendor’s employee—who has access to your OAuth tokens—gets phished. The attacker pivots to your Salesforce environment. They exfiltrate customer data and AWS credentials. They use those AWS credentials

Security Careers HelpSecurity Careers

](https://securitycareers.help/the-cisos-nightmare-trifecta-when-data-centers-vendor-risk-management-and-insider-threats-collide/)

This guide synthesizes findings from four comprehensive investigations into firewall vendor failures:

1. SonicWall/Marquis Software: 788,000 victims, 14 CISA KEV CVEs, Akira ransomware targeting
2. Fortinet: 20 CISA KEV CVEs, 444 healthcare incidents in 2024, Qilin ransomware devastation
3. Cisco: $244M+ in Akira ransoms, ArcaneDoor nation-state campaign, 48,000+ unpatched devices
4. Check Point: CVE-2024-24919 zero-day + March 2025 CoreInjection breach of vendor itself

For CISOs: This isn’t about choosing the “right” vendor. All four have systemic failures. This is about understanding that firewalls are now the entry point, not the defense, and restructuring your security architecture accordingly.

---

Part 1: The Scale of the Crisis

The Numbers That Should Terrify Every Board

CISA Known Exploited Vulnerabilities (Firewall Vendors):

• Fortinet: 20 CVEs (worst record)
• SonicWall: 14 CVEs
• Cisco: 12+ CVEs (multiple critical campaigns)
• Check Point: 2 major incidents (CVE-2024-24919 + CoreInjection breach)

Total: 48+ actively exploited vulnerabilities across four vendors controlling 70%+ of enterprise firewall market

Financial Impact:

• Akira ransomware (primary Cisco/SonicWall exploiter): $244.17 million in verified ransoms
• Qilin ransomware (primary Fortinet exploiter): $50+ million in 2024 alone
• Median ransom payment: $1 million (2025)
• Healthcare sector alone: 66% hit by ransomware in 2024 (four-year high)

Human Impact:

• 259 million Americans impacted by healthcare breaches (2024)
• 444 healthcare incidents in 2024 (highest of any sector)
• 10,000+ canceled medical appointments from single Fortinet-enabled attack (Synnovis NHS)
• 730 jobs lost when KNP Logistics destroyed via weak Cisco VPN password

The Exploitation Timeline: A Five-Year Disaster

2021: The Foundation

• SonicWall CVE-2021-20016 (SSLVPN zero-day) - 2,000+ attacks in first week
• Fortinet CVE-2018-13379 credentials leaked for 500,000+ VPN accounts

2022: Acceleration

• Cisco corporate breach via MFA fatigue on VPN
• CISA designates 8 Fortinet CVEs as KEV
• Akira ransomware emerges (early versions)

2023: Maturation

• Akira begins systematic Cisco exploitation
• Qilin targets Fortinet authentication bypasses
• SonicWall Gen5/Gen6 vulnerabilities cascade

2024: Peak Chaos

• May 24: Check Point CVE-2024-24919 zero-day discovered
• May 30: PoC released, CISA adds to KEV (3 days!)
• May 31: Mass exploitation begins (24 hours after PoC)
• June: Synnovis NHS attack via Fortinet/Qilin (10,000+ appointments canceled)
• September: Akira passes $244M in total ransoms
• November: Fortinet CVE-2025-64446 & CVE-2025-58034 zero-days (17-day delayed disclosure)
• December: Check Point portal compromised (CoreInjection, disclosed March 2025)

2025 (Jan-Dec 11): Crisis Normalization

• Fortinet CVE-2024-55591 authentication bypass → Mora_001/SuperBlack ransomware
• Fortinet CVE-2025-32756 stack buffer overflow
• January: Belsen Group leaks 15,000 Fortinet firewall configs
• March: CoreInjection exposes December Check Point breach
• Cisco CVE-2025-20333 & CVE-2025-20362 exploitation continues
• Congressional Budget Office breached during government shutdown via Cisco ASA
• 48,000+ unpatched Fortinet devices still exposed
• 48,000+ unpatched Cisco ASA/FTD devices still exposed
• 14,000+ Check Point devices remain vulnerable

The Pattern: Zero-days discovered → Public PoC within days → Mass exploitation within 24-48 hours → Ransomware campaigns within weeks → Years of vulnerable devices remaining exposed

---

Part 2: Vendor-Specific Deep Dives

Fortinet: The Healthcare Devastation Engine

Full Analysis: Fortinet Under Fire

Why Fortinet Stands Out:

• 20 CISA KEV CVEs (worst record of any firewall vendor)
• Qilin ransomware’s weapon of choice for healthcare targeting
• 48,000+ FortiGate devices with known vulnerabilities still internet-facing (Nov 2025)

The Healthcare Catastrophe:

• 444 healthcare incidents in 2024 (29% of all breaches)
• 259 million Americans impacted
• 66% of healthcare organizations hit by ransomware (four-year high)
• Data extortion now overtaking encryption (34% encryption rate vs 74% in 2024)

Critical Vulnerabilities:

CVE-2025-64446 & CVE-2025-58034 (November 2025):

• FortiWeb zero-days
• 17-day delayed disclosure (discovered Oct 23-25, disclosed Nov 12)
• Remote code execution without authentication
• FortiWeb Manager console & Fabric Management Center
• CISA added to KEV immediately, but 17-day head start for attackers

CVE-2024-55591 (Authentication Bypass):

• Actively exploited by Mora_001 and SuperBlack ransomware
• Affects FortiManager (central management console)
• CVSS 9.8 (Critical)
• PoC published, mass exploitation ongoing

CVE-2025-32756 (May 2025):

• Stack buffer overflow in FortiOS/FortiProxy
• Remote code execution
• Affects FortiOS 7.0.0 through 7.0.16, 7.2.0 through 7.2.10, 7.4.0 through 7.4.5

CVE-2024-21762 (Qilin’s Favorite):

• Out-of-bounds write vulnerability
• Used in Synnovis NHS attack (June 2024)
• 10,000+ appointments canceled
• Blood transfusion services disrupted across London

The Qilin Connection: Qilin ransomware specifically targets Fortinet infrastructure:

• $50+ million in ransoms (2024)
• 81 attacks in June 2025 alone
• Major victims: Synnovis NHS, Covenant Health, Habib Bank AG Zurich
• Exclusively uses double extortion (encryption + data theft)
• Average dwell time: 7-14 days before deployment

January 2025 Config Leak: Belsen Group published 15,000 Fortinet firewall configurations on BreachForums:

• Credentials (some in plaintext)
• Internal IP ranges
• Network topologies
• VPN configurations
• Firewall rules

Why This Matters for CISOs:

• Healthcare organizations often lack resources for 24-hour patching
• Fortinet’s 17-day delay creates impossible catch-up scenarios
• Qilin specifically targets healthcare (payment history is better)
• Single Fortinet vulnerability can affect 100,000+ patients per hospital

Immediate Actions:

1. Audit all FortiOS versions against CVE-2024-55591, CVE-2025-32756, CVE-2025-64446, CVE-2025-58034
2. Assume compromise if patching delayed beyond 72 hours of disclosure
3. Review network segmentation—Fortinet should NOT have access to patient data networks
4. Implement MFA on ALL FortiManager/FortiGate admin interfaces
5. Monitor for FortiGate configuration file exfiltration (Belsen Group pattern)

---

Cisco: The Identity Crisis and Nation-State Playground

Full Analysis: Cisco Under Siege

Why Cisco Is Different:

• $244.17 million in Akira ransoms (verified, most of any firewall-associated ransomware)
• ArcaneDoor campaign (UAT4356/Storm-1849 Chinese APT with persistent Lua implant)
• 60% of 2024 breaches involved identity-based attacks, not just exploits
• Federal government repeatedly failing to patch (Congressional Budget Office breach during 2025 shutdown)

The Akira Money Machine:

Akira ransomware has turned Cisco ASA/FTD exploitation into the most profitable ransomware campaign in history:

Primary Cisco CVEs Exploited by Akira:

• CVE-2020-3259: Information disclosure (credentials)
• CVE-2023-20269: Remote code execution
• CVE-2020-3580: XSS leading to credential theft
• CVE-2024-37085: Command injection

Akira Statistics (as of September 2025):

• $244.17 million in total ransoms
• 250+ publicly claimed victims
• Primary vector: Cisco VPNs with weak passwords
• Average payment: $1-3 million
• Targets: Mid-sized enterprises ($50M-$500M revenue)

Case Study: KNP Logistics Destruction:

• 158-year-old company with $300M+ annual revenue
• Breached via weak Cisco VPN password
• Akira deployment: 730 jobs lost
• Company could not recover
• Total business failure from single weak password on Cisco ASA

The ArcaneDoor Campaign (Nation-State Persistence):

UAT4356/Storm-1849 (Chinese APT) developed two zero-days for Cisco ASA:

CVE-2024-20353 & CVE-2024-20359:

• Deployed November 2023 (5 months before discovery)
• Installed Line Dancer (in-memory backdoor)
• Installed Line Runner (persistent Lua implant surviving firmware upgrades)
• Targeted: Government agencies, defense contractors, critical infrastructure

Line Runner Technical Details:

• Written in Lua (lightweight, interpreted language)
• Survives firmware upgrades (persistent across reboots/patches)
• Communicates via HTTPS (blends with legitimate traffic)
• Provides shell access, file exfiltration, lateral movement
• Detection extremely difficult (in-memory, minimal footprint)

Cisco’s Response:

• Discovered April 2024 (5 months after deployment)
• Couldn’t fully remove Line Runner (Lua persistence)
• Recommended full device replacement
• Cost to government: Estimated $50M+ in hardware replacement

September 2025 Continuation:

• CVE-2025-20333 & CVE-2025-20362: Active exploitation continues
• Operation Zero Disco: SNMP rootkit with hardcoded password “disco”
• CVE-2024-20439 & CVE-2024-20440: Smart Licensing static credential backdoor

The Identity Attack Crisis:

Cisco Talos 2024 Data:

• 60% of incidents involved valid credentials (not exploits)
• Cisco VPNs are primary initial access vector
• MFA fatigue attacks successful in 70%+ of attempts
• Infostealers up 84% in 2024 (RedLine, Vidar, Raccoon)
• Active Directory targeted in 44% of identity-based incidents

Congressional Budget Office Breach (2025 Government Shutdown):

• Breached during shutdown when patching deferred
• Unpatched Cisco ASA VPN appliance
• Exposed budget discussions and economic forecasts
• Federal government repeatedly ignoring CISA KEV directives

Why This Matters for CISOs:

• Cisco vulnerabilities aren’t just about patches—it’s identity architecture
• Akira has proven Cisco VPNs are reliable revenue generators
• Nation-states have multi-year persistence capabilities (Line Runner)
• Federal government failures create private sector compliance risk (insurance requirements)

Immediate Actions:

1. Assume Cisco ASA/FTD already compromised if deployed before 2024
2. Implement phishing-resistant MFA (FIDO2/WebAuthn) on all VPNs
3. Deploy EDR on all endpoints accessing Cisco VPNs (infostealer detection)
4. Network segmentation: VPN users should NEVER have direct AD access
5. Replace ASA 5500-X series (Line Runner persistence risk)
6. Monitor for Lua-based persistence mechanisms (Line Runner indicators)

---

SonicWall: The Third-Party Risk Multiplier

Full Analysis: Marquis Software Breach

Why SonicWall Matters:

• 14 CISA KEV CVEs (third-worst record)
• Marquis Software breach: 788,000 victims via SonicWall VPN
• Third-party risk amplification (one vendor breach = hundreds of financial institutions)
• SMB/mid-market prevalence creates detection gaps

The Marquis Software Cascade:

November 11, 2024: Marquis Software (financial services vendor) breached via CVE-2024-40766:

• SonicWall SSLVPN access control bypass
• 788,093 individuals affected across 650+ financial institutions
• Akira ransomware deployed
• Data included: SSNs, account numbers, financial records, health information

Third-Party Risk Math:

• 1 SonicWall vulnerability
• 1 financial services vendor
• 650+ downstream institutions impacted
• 788,000+ individuals compromised
• Single point of failure cascading across entire sector

SonicWall’s KEV Hall of Shame:

CVE-2021-20016 (SSLVPN Zero-Day):

• 2,000+ attacks in first week of disclosure
• Credential theft and remote code execution
• NCC Group: “One of the most serious VPN vulnerabilities we’ve seen”

CVE-2023-0656 (Gen5/Gen6 Firewalls):

• Authentication bypass in admin interface
• Firmware 6.5.4.14-109n and earlier
• Mass exploitation within 48 hours of PoC

CVE-2022-22274 (Stack-Based Buffer Overflow)**:

• Pre-authentication remote code execution
• CVSS 9.4 (Critical)
• SonicWall SMA 100 series

The SMB Vulnerability: SonicWall’s market position (SMB/mid-market) creates unique risks:

• Smaller IT teams = slower patching
• Cost constraints = older firmware versions
• Limited visibility = breaches discovered months later
• Insurance gaps = many SMBs underinsured for ransomware

Why This Matters for CISOs:

• Your third-party vendors likely use SonicWall
• You can’t control their patching cadence
• Single vendor breach exposes your customer data
• Financial services particularly vulnerable (regulatory scrutiny)

Immediate Actions:

1. Audit third-party vendors for SonicWall usage (add to questionnaires)
2. Require evidence of CVE-2024-40766 patching from ALL vendors
3. Network segmentation: third-party VPN access should be isolated from production
4. Incident response plans must include third-party vendor breach scenarios
5. Review cyber insurance exclusions for third-party incidents

---

Check Point: The Paradox of the Compromised Defender

Full Analysis: Check Point’s Zero-Day Paradox

Why Check Point Is Unique:

• Security research leader documenting 47% global attack surge
• CVE-2024-24919 zero-day (May 2024): 14,000+ vulnerable devices
• March 2025 CoreInjection breach: Vendor itself compromised (121,120 accounts)
• The irony: Company documenting threats while being victim twice in 9 months

CVE-2024-24919: The 24-Hour Exploitation Window:

Timeline:

• May 24, 2024: Check Point discovers zero-day exploitation in the wild
• May 27: Advisory released (3 days)
• May 30: watchTowr Labs publishes PoC, CISA adds to KEV (same day, 3 days total!)
• May 31: Mass exploitation begins (24 hours after PoC)

Technical Details:

• Path traversal vulnerability in Quantum/CloudGuard Gateways
• Remote, pre-authentication arbitrary file read
• ntds.dit dumps achieved within 2-3 hours of compromise
• Active Directory credential harvesting at scale

Check Point’s Downplay:

• Official advisory: “certain information” could be read
• Reality: ANY file on the system accessible
• Security researchers: “This is as bad as it gets for network appliances”

14,000+ Vulnerable Devices:

• Shodan scans: 13,800 publicly exposed Check Point gateways (May 2024)
• Many remain unpatched through 2025
• Attackers had 3-day head start before public awareness

March 2025: CoreInjection Breaches Check Point Itself:

Timeline:

• December 2024: Check Point portal compromised (via credentials, method undisclosed)
• March 30, 2025: CoreInjection posts on BreachForums offering data for 5 BTC (~$410K)
• March 31, 2025: Check Point confirms but calls it “old, known, very pinpointed event”

Claimed Data:

• Internal network maps and architecture diagrams
• User credentials (hashed AND plaintext passwords)
• Employee contact information (emails, phone numbers)
• Sensitive project documentation
• Proprietary source code and binaries
• 121,120 accounts including 18,864 paying customers
• Admin portal access with ability to reset 2FA

The Controversy:

Check Point’s Story:

• “Only 3 organizations affected”
• “Limited access” via compromised portal credentials
• No customer systems, production, or security architecture affected
• Already investigated and contained in December 2024

Security Researchers’ Questions (Alon Gal, Hudson Rock CTO):

• Screenshots show 121,120 accounts (not “3 organizations”)
• Admin-level capabilities visible (edit accounts, reset 2FA)
• No public SEC filing from December 2024 (required for publicly traded company)
• Intrusion method never explained (“compromised credentials” but how?)
• CoreInjection has proven track record of credible Israeli infrastructure leaks

CoreInjection’s Track Record (March 2025):

1. US industrial machinery company ($100K)
2. Israeli car company ($50K) - “Full control over network infrastructure”
3. Clal Insurance - 400,000+ customer records
4. Israeli digital screen company
5. Israeli electrical products company ($30K)
6. Check Point Software (5 BTC)

The Double Irony:

• First Irony: Security vendor’s products exploited while documenting threats
• Second Irony: Security vendor breached twice in 9 months while claiming first incident “was handled”

Check Point’s 2025 Threat Intelligence (The Defender’s View):

While breached twice, Check Point’s research documented:

• 47% increase in weekly cyberattacks (Q1 2025 vs Q1 2024)
• 126% surge in ransomware (2,289 incidents Q1 2025)
• $2.3 billion minimum in ransom payments
• November 2025: 727 ransomware attacks (22% YoY increase)

GenAI Security Discovery:

• 1 in 35 GenAI prompts leak sensitive data
• 87% of organizations impacted by GenAI data leakage
• 11 different GenAI tools per organization (unsupervised)

Why This Matters for CISOs:

• Even security research leaders can’t secure themselves
• Delayed disclosure (December → March) creates trust issues
• No vendor is immune—Check Point’s expertise didn’t prevent compromise
• Security vendor breaches undermine confidence in entire industry

Immediate Actions:

1. Audit Check Point Quantum/CloudGuard for CVE-2024-24919 patching status
2. Assume compromise if Check Point appliances deployed before June 2024
3. Review Check Point portal access logs (CoreInjection breach implications)
4. Network segmentation: Check Point should NOT have Active Directory access
5. Consider vendor diversification (Check Point reliability now questioned)

---

Part 3: The Ransomware Business Model

How Firewall Vulnerabilities Became $500M+ in Ransoms

The RaaS Ecosystem:

Modern ransomware operates as a sophisticated business:

1. Initial Access Brokers (IABs): Sell compromised firewall credentials ($500-$10,000 per network)
2. RaaS Platforms: Provide ransomware + infrastructure (30-40% commission)
3. Affiliates: Deploy ransomware, negotiate, collect payments (60-70% payout)
4. Cash-out Services: Convert Bitcoin to fiat (10-15% fee)

Firewall-Specific Economics:

Cisco ASA/FTD Access:

• Price: $2,000-$5,000 (XSS/Russian Market)
• Time to Monetize: 7-14 days (Akira average)
• Average Ransom: $1-3 million
• ROI: 200-1,500x for affiliates

Fortinet FortiGate Access:

• Price: $1,500-$4,000
• Time to Monetize: 10-21 days (Qilin average)
• Average Ransom: $800K-$2M
• ROI: 200-1,300x

SonicWall SSLVPN Access:

• Price: $800-$3,000 (cheaper due to SMB targets)
• Time to Monetize: 5-10 days (smaller networks)
• Average Ransom: $500K-$1.5M
• ROI: 150-1,800x

Check Point Gateway Access:

• Price: $3,000-$8,000 (enterprise premium)
• Time to Monetize: 14-30 days (better security, longer dwell time)
• Average Ransom: $2-5 million
• ROI: 250-1,600x

The Top Ransomware Groups Exploiting Firewalls

Akira ($244.17M Total):

• Primary Target: Cisco ASA/FTD
• Secondary: SonicWall SSLVPN
• Victimology: Mid-sized enterprises ($50M-$500M revenue)
• Notable Victims: KNP Logistics (destroyed), Marquis Software (788K victims)
• Tactics: VPN exploitation → AD credential theft → lateral movement → ESXi encryption
• Payment Rate: 65% (higher than average due to mid-market targeting)

Qilin ($50M+ in 2024):

• Primary Target: Fortinet FortiGate/FortiManager
• Victimology: Healthcare (66% of targets)
• Notable Victims: Synnovis NHS (10,000+ appointments), Covenant Health, Habib Bank AG Zurich
• Tactics: CVE-2024-21762 exploitation → file encryption + data exfiltration → double extortion
• Payment Rate: 71% (healthcare pays more reliably due to patient care urgency)

RansomHub (Disrupted March-April 2025):

• Primary Target: Multi-vendor (opportunistic)
• Pre-Disruption Stats: 10% of all 2024 ransomware claims
• Downfall: Allegedly taken over by rival DragonForce
• Aftermath: Mass affiliate migration to Qilin (explains Q2 2025 surge)

Cl0p (Resurgence 2025):

• Primary Target: Not firewall-specific (mass exploitation via supply chain)
• Latest Campaign: Oracle E-Business Suite zero-days (CVE-2025-61882)
• Total Proceeds: $500M+ since 2019
• Significance: Changed ransomware landscape with MOVEit attack (2023)

Hellcat (Emerging Q1 2025):

• Primary Target: Jira credentials stolen via infostealers
• Notable Victim: Jaguar Land Rover (£1.9 billion cost—UK’s costliest attack)
• Other Victims: Asseco Poland, HighWire Press, LeoVegas Group
• Tactic: Infostealer → Jira access → lateral movement to firewalls

Payment Patterns and Economics

2024-2025 Ransom Data (Check Point Research):

• Median Payment: $1 million
• Payment Rate: 51% of victims paid
• Total Payments: $2.3 billion minimum (2,268 incidents × $1M median)
• Range: $200,000 to $10+ million

Why Healthcare Pays More:

• Patient Care Urgency: Can’t wait weeks for decryption
• Regulatory Pressure: HIPAA penalties for extended downtime
• Insurance Coverage: Healthcare more likely to have cyber insurance
• Qilin’s Strategy: 71% payment rate in healthcare vs 51% overall

Why Mid-Market Is Profitable:

• Akira’s Sweet Spot: $50M-$500M revenue companies
• High Enough Revenue: Can afford $1-3M payments
• Limited Security: Not Fortune 500 resources, but more than SMB
• Insurance Coverage: Typically $5-10M cyber policies
• Fast Decisions: CEO can authorize payment without board approval

---

Part 4: The Nation-State Dimension

When Ransomware Criminals and Spies Use the Same Exploits

ArcaneDoor: The Five-Month Head Start:

UAT4356/Storm-1849 (Chinese APT) had 5-month persistence in US government networks:

Timeline:

• November 2023: CVE-2024-20353 & CVE-2024-20359 deployed
• April 2024: Cisco and security researchers discover Line Dancer/Line Runner
• May 2024: CISA adds to KEV, government agencies begin response
• June-December 2024: Device replacement efforts (Line Runner can’t be removed)

Targets:

• Federal agencies (unnamed)
• Defense contractors
• Critical infrastructure operators
• State/local governments with federal connectivity

Line Runner Persistence:

• Lua-based implant surviving firmware upgrades
• In-memory backdoor (Line Dancer) for immediate access
• HTTPS C2 channels blending with legitimate traffic
• Shell access, file exfiltration, lateral movement

Cost:

• ~$50 million+ in government hardware replacement
• Thousands of devices requiring full replacement (not just patching)
• Unknown intelligence loss from 5-month dwell time

Check Point CVE-2024-24919 Nation-State Activity:

While ransomware groups exploited immediately, nation-state actors exploited before public disclosure:

Pre-Disclosure Activity (May 24-27, 2024):

• Active Directory credential harvesting
• Network reconnaissance
• Lateral movement preparation
• 3-day head start before public awareness

Post-Disclosure (May 31+):

• Chinese APT groups targeting government Check Point deployments
• Russian actors targeting defense contractors
• Iranian groups targeting critical infrastructure

Why Firewalls Are Strategic Targets:

1. Network Visibility: Firewalls see ALL traffic (perfect for espionage)
2. Credential Access: VPN authentication = Active Directory
3. Lateral Movement: Already inside perimeter (no EDR/XDR detection)
4. Persistence: Nation-states can maintain access for years
5. Supply Chain: One firewall vendor = thousands of potential targets

The Intelligence Community Response

NSA/CISA Joint Advisory (July 2024):

“Chinese APT actors are actively exploiting firewall vulnerabilities as their primary initial access vector for US government networks.”

Recommendations:

• Assume compromise for any Cisco ASA deployed before 2024
• Replace (don’t patch) devices with suspected ArcaneDoor infection
• Network segmentation to limit firewall lateral movement capabilities
• MFA on all administrative interfaces (not just VPN)

The Federal Government’s Failure:

Despite CISA KEV mandates (agencies must patch within 15 days):

Congressional Budget Office (2025 Shutdown Breach):

• Unpatched Cisco ASA during government shutdown
• Exposed budget discussions and economic forecasts
• CISA directive ignored due to “operational constraints”

Pattern Across Agencies:

• 60+ federal agencies with KEV violations (per CISA reports)
• Average time to patch CISA KEV: 47 days (vs required 15 days)
• Agencies cite “legacy systems,” “operational requirements,” “budget constraints”

Why This Matters for Private Sector:

• Cyber insurance increasingly requiring CISA KEV compliance
• Federal failures create precedent for “reasonable” delays
• If government can’t patch in 15 days, can you?

---

Part 5: The CISO’s Framework for Action

Immediate Actions (0-30 Days)

1. Audit Current Firewall Exposure:

Create inventory of all internet-facing firewalls:

• Vendor/Model: SonicWall, Fortinet, Cisco, Check Point (which appliances?)
• Firmware Version: Exact version, not just “up to date”
• Patch Status: Compare against CISA KEV catalog
• Last Patched: Date of last update
• Access Control: Who has administrative access?

Critical CVEs to Check RIGHT NOW:

• Fortinet: CVE-2024-55591, CVE-2025-32756, CVE-2025-64446, CVE-2025-58034
• Cisco: CVE-2024-20353, CVE-2024-20359, CVE-2025-20333, CVE-2025-20362
• SonicWall: CVE-2024-40766, CVE-2023-0656
• Check Point: CVE-2024-24919

If ANY of these are unpatched: Assume compromise, begin incident response

2. Implement Emergency Mitigations:

While patching:

• Disable remote administration on all firewalls (use jump boxes)
• Rotate ALL credentials (admin accounts, service accounts)
• Enable logging to external SIEM (firewall logs often first thing deleted)
• Network segmentation: Firewalls should NOT have Active Directory access
• MFA on everything: Administrative interfaces, VPN, management consoles

3. Third-Party Vendor Audit:

Email to ALL third-party vendors (use template):

“Due to recent firewall vulnerabilities (CISA KEV), we require verification of your patching status for: [list CVEs]. Please provide: (1) Firewall vendor/model, (2) Current firmware version, (3) Date of last patch, (4) Confirmation of CVE mitigation. Response required within 72 hours for continued access to our systems.”

Expected Pushback: “This is proprietary” / “We’re compliant” / “We have security”

Your Response: “CISA KEV compliance is non-negotiable. Provide documentation or access will be suspended pending remediation.”

4. Board/Executive Communication:

Draft memo using this framework:

---

SUBJECT: Critical Infrastructure Risk—Immediate Board Attention Required

EXECUTIVE SUMMARY: Our organization uses [Vendor] firewalls currently affected by [X] CISA Known Exploited Vulnerabilities. These vulnerabilities have enabled:

• $244M in Akira ransomware payments (Cisco)
• $50M in Qilin ransomware payments (Fortinet)
• Destruction of 158-year-old company (KNP Logistics via Cisco)
• 788,000 individuals compromised (Marquis via SonicWall)

IMMEDIATE RISKS TO OUR ORGANIZATION:

• internet-facing firewalls with known vulnerabilities
• unpatched CVEs with public PoC exploits
• third-party vendors with unknown firewall patching status
• Potential exposure: [estimate based on your data holdings]

ACTIONS TAKEN (Last 72 Hours):

1. Emergency audit of all firewall infrastructure
2. Disabled remote administration
3. Rotated administrative credentials
4. Third-party vendor outreach initiated
5. Incident response team on standby

ACTIONS REQUIRED (Board Approval):

1. Budget: $[X] for emergency firewall upgrades/replacement
2. Authority: Suspend third-party access for non-compliance
3. Insurance: Verify cyber policy covers firewall-related incidents
4. Legal: Prepare breach notification procedures (assume worst case)

TIMELINE:

• 0-7 days: Patching/mitigation
• 7-30 days: Third-party compliance verification
• 30-90 days: Architecture redesign (Zero Trust implementation)

BOARD QUESTIONS TO DISCUSS:

1. If we’re breached via unpatched firewall, what is our regulatory exposure?
2. What is our tolerance for suspending third-party vendor access?
3. Are we willing to replace firewalls if patching is insufficient?
4. What is our communication strategy if we discover compromise?

---

Short-Term Actions (30-90 Days)

1. Implement Zero Trust Architecture:

The Core Principle: “Never trust, always verify”—even if traffic passes through firewall

Phase 1: Identity-Centric Security:

• Deploy phishing-resistant MFA (FIDO2/WebAuthn) on all systems
• Implement Conditional Access policies (device health, location, behavior)
• EDR on all endpoints (catch infostealer malware before it reaches firewalls)
• Privileged Access Management (PAM) for administrative accounts

Phase 2: Network Microsegmentation:

• Firewalls should NOT be trust boundary
• Internal segmentation between departments/functions
• Least privilege network access (users/applications get ONLY what they need)
• East-west traffic monitoring (not just north-south)

Phase 3: Continuous Monitoring:

• SIEM integration for all firewall logs (external storage)
• User and Entity Behavior Analytics (UEBA) to detect credential misuse
• Network Detection and Response (NDR) for lateral movement
• Threat hunting focused on firewall-originated traffic

2. Third-Party Risk Management Overhaul:

New Vendor Onboarding Requirements:

• Detailed firewall inventory (vendor, model, firmware, patch cadence)
• Evidence of CISA KEV compliance (automated alerts + manual verification)
• Quarterly attestation of firewall patching
• Right to audit firewall configurations
• Incident response plan including firewall compromise scenarios

Existing Vendor Reassessment:

• All vendors must provide firewall documentation within 60 days
• Non-compliant vendors moved to “isolated access” network segment
• Vendors refusing documentation have access suspended
• Contract renegotiations to include firewall-specific SLAs

3. Incident Response Tabletop Exercise:

Scenario: “Assume Cisco/Fortinet/SonicWall/Check Point firewall compromised 30 days ago. You discover today. What do you do?”

Exercise Questions:

1. How do we detect compromise retroactively?
2. What data could have been exfiltrated?
3. Which systems could attackers have accessed?
4. What is our legal/regulatory notification timeline?
5. How do we communicate with customers/partners?
6. What is our relationship with firewall vendor during incident?
7. Do we have clean backups (isolated from firewall network access)?
8. Can we operate without firewall for 48-72 hours during investigation?

4. Insurance and Legal Review:

Questions for Cyber Insurance Broker:

• Does our policy explicitly cover firewall-related breaches?
• Are there exclusions for “unpatched known vulnerabilities”?
• What is our notification timeline to maintain coverage?
• Do we have coverage for third-party breaches (Marquis scenario)?
• What is our coverage limit vs realistic breach cost?

Questions for Legal Counsel:

• What are our breach notification requirements by state/country?
• If compromised via third-party vendor, who is liable?
• What is our regulatory exposure (HIPAA/PCI-DSS/etc) for delayed patching?
• Should we proactively report firewall vulnerabilities to regulators?

---

Long-Term Actions (90-365 Days)

1. Architectural Redesign: Beyond the Perimeter:

The New Model: Traditional: Internet → Firewall → Internal Network (single point of failure)

Modern: Internet → Cloud Access Security Broker (CASB) → Zero Trust Network Access (ZTNA) → Microsegmented Applications

Components:

Cloud Access Security Broker (CASB):

• All internet traffic routes through cloud-based security
• Not dependent on single vendor appliance
• Scales automatically (no hardware bottlenecks)
• Updates managed by provider (no delayed patching)

Zero Trust Network Access (ZTNA):

• Replace VPNs with identity-based access
• Users authenticate to applications, not network
• No lateral movement (users can’t see other systems)
• Vendors: Zscaler, Cloudflare Access, Palo Alto Prisma Access

Software-Defined Perimeter (SDP):

• Applications invisible until user authenticates
• No open ports exposed to internet
• Firewall becomes one layer, not the only layer
• Vendors: Appgate, Perimeter 81, Twingate

2. Vendor Diversification Strategy:

The Risk: All eggs in one basket (single firewall vendor = single point of failure)

Diversification Approach:

Tier 1 (Internet Edge):

• Cloud-based firewall (not appliance): Cloudflare Magic Firewall, Zscaler, Netskope
• No single appliance to compromise
• Automatic updates (no 17-day delays like Fortinet CVE-2025-64446)

Tier 2 (Data Center/Internal):

• Different vendor from Tier 1: If Tier 1 is Cloudflare, use Palo Alto internally
• Reduces risk of single vulnerability affecting all layers
• Vendor breach doesn’t expose entire architecture

Tier 3 (Microsegmentation):

• Host-based firewalls + network segmentation appliances
• Illumio, Guardicore, VMware NSX for microsegmentation
• Each segment isolated from others

3. Continuous Vulnerability Management Program:

CISA KEV Automation:

• Automated alerts when new CVEs added to CISA KEV (RSS feed, API integration)
• Asset inventory integration: Automatically identify affected systems
• Patching SLAs: 72 hours for Critical, 7 days for High (beat CISA’s 15-day requirement)
• Executive escalation: If patching delayed beyond 48 hours, automatic CISO notification

Vulnerability Intelligence:

• Subscribe to vendor security advisories (Fortinet, Cisco, SonicWall, Check Point)
• Monitor exploit databases (ExploitDB, GitHub, BreachForums)
• Threat intelligence feeds: Know when PoC published (24-hour exploitation window)
• Security researcher Twitter/Mastodon (often first to report)

Patch Testing Process:

• Lab environment mirroring production (test patches before deployment)
• Rollback plan for every patch (assume something will break)
• Communication plan: Notify users of maintenance windows
• Emergency patching procedures: Bypass normal change control for CISA KEV

4. Security Awareness: The Identity Layer:

The Reality: 60% of breaches involve valid credentials, not exploits (Cisco Talos data)

Employee Training Focus:

Infostealer Malware:

• 84% increase in 2024 (RedLine, Vidar, Raccoon)
• Steals credentials from browsers, password managers, MFA tokens
• Employees must understand: “Your home computer compromise = our network breach”

MFA Fatigue Attacks:

• Attackers spam MFA prompts until user approves
• 70%+ success rate against traditional MFA
• Train employees: “Never approve MFA you didn’t initiate”

Phishing-Resistant MFA:

• FIDO2/WebAuthn (hardware keys: YubiKey, Titan Security Key)
• Can’t be phished (cryptographic challenge-response)
• Mandate for all privileged access users

Password Managers:

• Eliminate password reuse (infostealer on home PC shouldn’t expose work credentials)
• Enforce unique passwords per service
• Vendors: 1Password, Bitwarden, LastPass (with caveats post-breach)

5. Board-Level Reporting and Governance:

Quarterly Board Metrics:

Firewall Risk Dashboard:

• Number of internet-facing firewalls
• Number of unpatched CISA KEV CVEs
• Average time to patch (vs 15-day CISA requirement)
• Third-party vendors with unverified firewall status
• Incident response exercises conducted
• Budget allocated vs spent on firewall security

Risk Trend Analysis:

• Quarter-over-quarter change in firewall vulnerability exposure
• Industry peer comparison (are we better/worse than competitors?)
• Ransomware attack cost projections (based on current vulnerabilities)

Red/Yellow/Green Status:

• Green: All CISA KEV patched within 72 hours, Zero Trust implemented, third-party compliance verified
• Yellow: Patching within 7 days, Zero Trust in progress, third-party compliance partial
• Red: Patching beyond 15 days, no Zero Trust roadmap, third-party compliance unknown

Board Questions to Anticipate:

1. “If we’re breached tomorrow via firewall, what’s our exposure?”
2. “Why can’t we patch faster than CISA’s 15-day requirement?”
3. “What percentage of our risk is from third-party vendors we can’t control?”
4. “Are we better/worse than our competitors at firewall security?”
5. “What would it cost to eliminate firewalls entirely and move to Zero Trust?”

---

Part 6: The Uncomfortable Questions CISOs Must Ask

For Your Own Organization

Infrastructure Questions:

1. Can you name every internet-facing firewall in your organization right now? (Vendor, model, firmware, location)
2. When was the last time you verified CISA KEV compliance? (Not “we patch regularly”—actual CVE-by-CVE verification)
3. If your firewall vendor released a zero-day disclosure today, could you patch within 24 hours? (Not “we have a process”—actual capability)
4. Do you know which internal systems your firewall can access? (Can it reach Active Directory? Financial databases? Patient records?)
5. If your firewall was compromised 90 days ago, would you know? (Do you have 90 days of firewall logs stored externally?)

Third-Party Risk Questions: 6. Can you list every third-party vendor with VPN access to your network? (Not just “major vendors”—every single one) 7. Have you verified their firewall patching status in the last 30 days? (Email attestation isn’t verification—have you seen their configs?) 8. If a third-party vendor is breached via their firewall, do you have legal right to suspend their access immediately? (Check your contracts) 9. Would your cyber insurance cover a Marquis-style third-party breach? (788,000 individuals compromised via vendor’s SonicWall)

Incident Response Questions: 10. If Akira ransomware encrypted your network via Cisco VPN tonight, could you restore operations within 48 hours? (Without paying ransom) 11. Do you have clean backups isolated from firewall network access? (If firewall compromised, can attackers reach backups?) 12. Have you practiced incident response for firewall-originated breach? (Not generic “ransomware tabletop”—specific firewall scenario)

For Your Firewall Vendor

Technical Questions: 13. How many of your products are on CISA’s Known Exploited Vulnerabilities list? (Fortinet: 20, SonicWall: 14, Cisco: 12+, Check Point: 2 major incidents) 14. What is your average time from vulnerability discovery to public disclosure? (Fortinet CVE-2025-64446: 17 days—how long did attackers have head start?) 15. Have YOU been breached via your own products? (Check Point: twice in 9 months) 16. Can your firmware updates remove nation-state implants? (Cisco Line Runner: No—device replacement required)

Business Questions: 17. What financial liability do you accept if we’re breached via your unpatched vulnerability? (Read your contract—probably zero) 18. How many of your customers were affected by [specific CVE]? (Vendors rarely disclose—why not?) 19. What is your process for notifying customers of active exploitation before public disclosure? (Many vendors only notify after PoC published)

For Your Board/Executive Team

Strategic Questions: 20. Are we treating firewall vulnerabilities as an existential risk or IT maintenance? (KNP Logistics: 158-year-old company destroyed) 21. What is our risk tolerance for third-party vendor firewall vulnerabilities we can’t control? (Marquis: one vendor breach = 650+ institutions compromised) 22. Are we willing to pay ransomware to avoid business disruption? (Median payment: $1M—have we allocated budget for “do not pay” stance?) 23. If we’re breached via firewall, what is our timeline to notify regulators/customers/media? (Have we practiced this?) 24. Are we investing in Zero Trust architecture or just patching our way through crisis? (Patching alone hasn’t worked for 5 years—when do we change strategy?)

For Your Cyber Insurance Provider

Coverage Questions: 25. Does our policy explicitly exclude breaches from “known unpatched vulnerabilities”? (If you delay patching CISA KEV, are you still covered?) 26. What is our coverage limit vs realistic breach cost? (Median ransom $1M, but total breach cost averages $4.88M per IBM—is $5M policy enough?) 27. Are third-party vendor breaches covered? (Marquis scenario: vendor breached, your customers affected—who pays?) 28. What documentation do we need to provide to prove “reasonable security” post-breach? (Firewall patching logs? Third-party attestations?)

---

Part 7: The Path Forward—A CISO’s Manifesto

The Hard Truth

The network perimeter is dead.

Not because of cloud adoption. Not because of remote work. Not because of zero-day vulnerabilities.

The network perimeter is dead because the vendors we trusted to defend it cannot secure their own products.

• Fortinet: 20 CISA KEV CVEs, 17-day delayed disclosure
• Cisco: $244M in ransomware, nation-state implants surviving firmware updates
• SonicWall: 14 CISA KEV CVEs, third-party risk multiplier
• Check Point: Zero-day + vendor breach within 9 months

This isn’t a patching problem. This is an architectural failure.

The New Reality

Assumptions We Must Accept:

1. Firewalls will be compromised—not “might be,” but “will be” and “already are”
2. Vendor patches will be delayed—not because of negligence, but because disclosure incentives are misaligned
3. Third-party vendors will have vulnerabilities—you can’t control their security, only your exposure to it
4. Nation-states have multi-year persistence—Line Runner survives firmware updates; assume they’re already inside
5. Ransomware is profitable enough to fund professional operations—$244M for Akira alone funds sophisticated reconnaissance

Therefore:

Firewalls must become one layer in defense-in-depth, not the only layer.

The Five Principles of Post-Perimeter Security

1. Identity Is the New Perimeter:

• Verify every user, every device, every time
• Phishing-resistant MFA (FIDO2/WebAuthn) is non-negotiable
• Conditional Access based on device health, location, behavior
• No implicit trust—even after authentication

2. Zero Trust Is Not a Product, It’s an Architecture:

• Microsegmentation between departments/functions
• Least privilege network access (users get ONLY what they need)
• Continuous verification (not “authenticate once, trust forever”)
• Assume breach—limit lateral movement

3. Visibility Beats Prevention:

• You can’t prevent every compromise (firewall vendors prove this)
• But you CAN detect compromise quickly and respond effectively
• SIEM, UEBA, NDR, EDR—layered detection, not single point of failure
• Hunt for indicators of compromise, don’t wait for alerts

4. Third-Party Risk Is Your Risk:

• Your vendors’ firewall vulnerabilities are YOUR vulnerabilities
• Contractual requirements aren’t enough—verify compliance
• Network segmentation limits third-party lateral movement
• Incident response plans must include third-party compromise scenarios

5. Patching Is Necessary But Insufficient:

• Patch within 72 hours of CISA KEV (beat the 15-day requirement)
• But don’t assume patching solves the problem
• Nation-states had 5-month head start (ArcaneDoor)
• Ransomware groups exploit within 24 hours of PoC
• Architecture must assume compromise despite patching

The Action Plan: From Theory to Practice

Phase 1 (0-30 Days): Stop the Bleeding:

• Audit all firewalls against CISA KEV
• Patch or mitigate every unpatched CVE
• Rotate all administrative credentials
• Disable remote administration (use jump boxes)
• Third-party vendor outreach for firewall status

Phase 2 (30-90 Days): Build the Foundation:

• Implement phishing-resistant MFA everywhere
• Deploy EDR on all endpoints (catch infostealers)
• Network microsegmentation (limit firewall lateral movement)
• Third-party vendor contract renegotiations (firewall SLAs)
• Incident response tabletop (assume firewall compromise)

Phase 3 (90-180 Days): Architectural Transformation:

• Zero Trust Network Access (replace VPNs)
• Cloud Access Security Broker (move security to cloud)
• Software-Defined Perimeter (make applications invisible)
• Vendor diversification (Tier 1 ≠ Tier 2 ≠ Tier 3)
• Continuous vulnerability management automation

Phase 4 (180-365 Days): Operational Excellence:

• SIEM/UEBA/NDR integration (detection-focused operations)
• Threat hunting program (proactive compromise detection)
• Purple team exercises (test detection capabilities)
• Board-level governance and reporting
• Industry collaboration (share threat intelligence)

The Final Message for CISOs

You didn’t create this crisis.

Firewall vendors built products with systemic vulnerabilities. Ransomware groups built profitable businesses exploiting those vulnerabilities. Nation-states built persistent backdoors surviving vendor patches.

But you’re responsible for responding to this crisis.

Your board will ask: “Why didn’t we know?” Your customers will ask: “How did this happen?” Your regulators will ask: “What took so long?”

The answer cannot be: “We trusted our firewall vendor.”

Not anymore. Not after:

• 20 CISA KEV CVEs (Fortinet)
• $244 million in ransoms (Akira/Cisco)
• 788,000 victims (Marquis/SonicWall)
• 5-month nation-state persistence (ArcaneDoor/Cisco)
• Vendor breached twice (Check Point)

The path forward is clear:

1. Admit the perimeter model failed
2. Implement Zero Trust architecture
3. Assume compromise and build detection
4. Verify third-party vendor security (don’t trust)
5. Report honestly to boards about risk

This is hard. It requires budget, executive buy-in, organizational change, vendor confrontation.

But the alternative is harder: Explaining to your board why you’re the next KNP Logistics (destroyed), the next Marquis Software (788K victims), the next Synnovis NHS (10,000+ appointments canceled).

The firewall crisis is a wake-up call.

The question is: Will you answer it?

---

Additional Resources

Essential Reading

CISA Resources:

• Known Exploited Vulnerabilities Catalog: Updated daily, authoritative source
• CISA Binding Operational Directive 22-01: 15-day patching requirement for federal agencies
• NSA/CISA Joint Advisory on Chinese APT Activity: Firewall exploitation patterns

Vendor-Specific Deep Dives:

• SonicWall/Marquis Software Analysis
• Fortinet Healthcare Devastation
• Cisco/Akira Campaign
• Check Point Zero-Day Paradox

Ransomware Economics:

• RaaS Ecosystem Analysis: How firewall vulnerabilities became $500M+ in ransoms
• 2024 Ransomware Activity Year in Review: Industry trends and payment patterns

Case Studies:

• KNP Logistics Destruction: 730 jobs lost via Cisco VPN weak password
• Jaguar Land Rover £1.9 Billion Attack: UK’s costliest cyber attack via Hellcat ransomware

Immediate Action Items Checklist

Audit Phase (Day 1-7):

• Inventory all internet-facing firewalls (vendor, model, firmware, IP)
• Compare firmware versions against CISA KEV catalog
• Identify unpatched CVEs (critical/high severity)
• Review administrative access logs (last 90 days if available)
• Document third-party vendor VPN/firewall access

Mitigation Phase (Day 7-14):

• Patch all CISA KEV vulnerabilities (or implement compensating controls)
• Disable remote administration (implement jump box access)
• Rotate ALL administrative credentials (even if no evidence of compromise)
• Enable detailed logging (forward to external SIEM)
• Implement emergency network segmentation (isolate firewalls from critical assets)

Verification Phase (Day 14-30):

• Third-party vendor outreach (firewall status verification)
• Board/executive briefing (risk assessment, budget request)
• Cyber insurance review (coverage verification)
• Incident response tabletop exercise (firewall compromise scenario)
• Legal/compliance review (notification requirements)

Transformation Phase (Day 30-365):

• Zero Trust architecture roadmap (ZTNA, CASB, SDP)
• Phishing-resistant MFA deployment (FIDO2/WebAuthn)
• EDR rollout (infostealer detection)
• Vendor diversification strategy (multi-tier security)
• Continuous vulnerability management automation (CISA KEV alerts)

---

About This Analysis

This comprehensive guide synthesizes findings from four in-depth investigations into firewall vendor vulnerabilities published on Breached.Company:

1. Marquis Software/SonicWall Breach: 788,000 victims, third-party risk analysis
2. Fortinet Healthcare Crisis: 20 CISA KEV CVEs, Qilin ransomware targeting
3. Cisco Under Siege: Akira’s $244M campaign, ArcaneDoor nation-state activity
4. Check Point Paradox: Security vendor breached twice in 9 months

Data Sources: CISA KEV Catalog, FBI IC3 Reports, vendor security advisories, security researcher disclosures, threat intelligence feeds, breach notification filings, ransomware group leak sites.

Last Updated: December 11, 2025

Disclaimer: This analysis is for educational and risk management purposes. All vulnerability information is publicly available through CISA KEV catalog and vendor advisories. Organizations should consult with qualified cybersecurity professionals before implementing any recommendations.

---

The network perimeter is dead. Long live Zero Trust. [

Zero Trust Maturity Evaluator | Free Assessment Tool for CISOs

Evaluate your organization’s Zero Trust security maturity across 7 critical pillars with our free assessment tool. Get personalized recommendations for your security roadmap.

ZeroTrustCISO.com

](https://zerotrustciso.com/)