A significant rise in cyberattacks has been observed, targeting enterprise network appliances and remote access tools, putting global organizations on heightened alert. On March 28, 2025, GreyNoise, a cybersecurity firm, reported a staggering 300 percent increase in malicious activities aimed at critical infrastructure such as SonicWall firewalls, Zoho ManageEngine platforms, F5 BIG-IP systems, and Ivanti Connect Secure VPNs. The spike in attacks underscores a coordinated campaign by threat actors exploiting both older vulnerabilities and newly disclosed flaws in these widely implemented technologies. This combination of outdated and new threats highlights the systematic and sophisticated approach cybercriminals are employing to attack unpatched systems.
Rising Threats from Unpatched Vulnerabilities
The most alarming aspect of these recent cyber assaults is the exploitation of unpatched vulnerabilities. This especially reflects the delayed patching cycles present in numerous organizations. Threat actors are leveraging a mix of older Common Vulnerabilities and Exposures (CVEs) along with newly disclosed flaws, revealing a methodical and sophisticated approach in their techniques. This scenario underscores the critical need for timely patching and vigilant security practices, as the threat actors exploit these unaddressed weaknesses to compromise enterprise networks.
Further compounding the issue is the complexity involved in maintaining and updating hybrid cloud infrastructures. Despite patches being released, the intricate nature of hybrid environments often leads to a lag in applying these crucial updates. This delay provides threat actors with an ample window to capitalize on vulnerabilities, leading to breaches and disruptions. The integration of different systems and technologies in hybrid environments poses unique challenges in ensuring that all components are adequately protected and promptly updated.
Targeted Systems and Exploitation Patterns
Ivanti Connect Secure VPNs have become a prime target, with attackers focusing on three critical vulnerabilities: CVE-2025-22467, CVE-2024-10644, and CVE-2024-38657. These specific flaws enable attackers to manipulate system files and execute malicious commands. Although patches were released in the first quarter of 2025, numerous organizations remain exposed due to the complexities associated with updating hybrid cloud infrastructures. Attackers have taken advantage of these delays, injecting payloads into Ivanti’s XML-based API endpoints while disguising malicious traffic as legitimate to avoid detection.
Similarly, SonicWall SSL VPNs face exploitation due to CVE-2024-53704, an authentication bypass flaw in SonicOS SSL VPNs patched in January 2025. By exploiting this vulnerability, attackers can hijack active VPN sessions and steal credentials. The escalation in exploit attempts aligns with the dark web leaks of SonicWall configuration templates specifically designed for ransomware deployment. This surge reflects the larger, coordinated efforts by threat actors to capitalize on unpatched vulnerabilities, emphasizing the importance of timely security updates and robust defenses.
Emerging Threats in Zoho ManageEngine and F5 BIG-IP
Zoho ManageEngine has also been targeted through CVE-2024-10640, a deserialization vulnerability in the REST API connector. Attackers exploit this flaw by crafting malicious serialized objects to gain root access, leading to attacks that deploy cryptominers and Cobalt Strike beacons. During a brief 72-hour window, GreyNoise logged thousands of exploitation attempts against vulnerable instances. Enterprises struggled to implement the necessary hotfixes released on March 25, leaving them vulnerable to swift exploitation. This rapid succession of attack and patch release underscores the critical need for prompt and effective mitigation strategies.
In addition, F5 BIG-IP appliances face threats from CVE-2025-19872, a server-side request forgery (SSRF) flaw in the iControl REST interface. Attackers exploited misconfigured HTTP endpoints to bypass network restrictions and potentially access sensitive resources such as Kubernetes clusters or cloud metadata. Despite F5 issuing a patch on March 18, the need for manual intervention delayed mitigation efforts for many users, further exposing them to risks. This vulnerability highlights the importance of ensuring proper configurations and timely patch applications to maintain robust security postures.
Multi-Phase Strategy of the Campaign
The multi-phase strategy utilized by attackers in this campaign is noteworthy for its complexity and effectiveness. The initial phase involves reconnaissance, where automated scanners identify unpatched systems by profiling SSL/TLS handshake patterns. Attackers then escalate privileges by chaining CVEs, such as combining Ivanti’s CVE-2024-38657 (file write) with CVE-2025-22467 (buffer overflow) to overwrite system binaries. This systematic approach allows attackers to gain deeper access and control over targeted systems, highlighting the sophisticated nature of their strategies.
Persistence is maintained through hijacked VPN tunnels and API keys, enabling lateral movement within compromised networks. Attackers establish SOCKS5 proxies using compromised credentials, facilitating further internal reconnaissance and exploitation. Additionally, SSRF exploits on F5 appliances are used to harvest AWS IAM credentials, further emphasizing the campaign’s sophistication. This multi-layered attack strategy underscores the need for comprehensive security measures and proactive threat detection protocols to combat such persistent and advanced threats.
Mitigation Strategies for Enterprises
A notable surge in cyberattacks has been detected, targeting enterprise network appliances and remote access tools, placing global organizations on high alert. On March 28, 2025, GreyNoise, a cybersecurity firm, reported a dramatic 300 percent increase in malicious activities directed at essential infrastructure like SonicWall firewalls, Zoho ManageEngine platforms, F5 BIG-IP systems, and Ivanti Connect Secure VPNs. This sharp rise in attacks highlights a coordinated campaign by cybercriminals exploiting both older vulnerabilities and newly revealed flaws in these widely used technologies. The combination of outdated and new threats emphasizes the systematic and sophisticated tactics employed by threat actors to breach unpatched systems. This pattern of exploitation underscores the urgent need for organizations to bolster their security measures and patch vulnerabilities promptly to defend against these evolving cyber threats that endanger critical infrastructure and sensitive data on a global scale.