In the ever-evolving landscape of cybercrime, edge devices such as firewalls, routers, and virtual private networks (VPNs), once considered the frontline defenders of networks, are increasingly becoming points of vulnerability. Cybercriminals are now exploiting misconfigurations, unpatched firmware and weak credentials to gain access to internal systems, placing individuals and organisations at growing risk. Compared with big organisations with lots of resources, small and medium businesses (SMBS) are most vulnerable to this new attack on edge devices.
Edge devices sit at the perimeter of a network, managing and securing the flow of data between internal systems and the wider internet. However, this privileged position also makes them an attractive target for attackers.
According to
Sophos' 2025 Annual Threat Report 'Cybercrime on Main Street', compromised network edge devices were responsible for nearly 30% of all initial intrusions into business systems. This figure could be significantly higher, especially as attackers become more adept at concealing their entry points.
"Over the past several years, attackers have aggressively targeted edge devices," says Sean Gallagher, principal threat researcher at Sophos. "Compounding the issue is the increasing number of end-of-life (EOL) devices found in the wild - a problem Sophos calls digital detritus. Because these devices are exposed to the internet and often low on the patching priority list, they are a highly effective method for infiltrating networks."
The report found that VPNs were the most frequent compromise point, accounting for over 25% of all incidents and 25% of ransomware and data exfiltration events. "Attackers don't have to deploy custom malware anymore," Mr Gallagher explained. "Instead, they can exploit businesses' own systems, increasing their agility and hiding in the places security leaders are not looking."
According to Sophos, ransomware is still the biggest threat, accounting for over 90% of incident response cases involving midsized organisations and 70% of cases involving small businesses. Attackers are bypassing multi-factor authentication (MFA) through adversary-in-the-middle authentication token capture, using phishing platforms to mimic the authentication process and steal credentials.
"The most frequently abused legitimate, trusted tools were commercial remote access tools, involved in 34% of incident response and managed detection and response cases. Attackers are turning to the abuse of QR codes (quishing) and phone messages (vishing) to compromise businesses, as well as email bombing - sending thousands of spam emails in as little as one or two hours," the report says.
Let's first understand how cybercriminals exploit edge devices like firewalls, routers and VPNs.
Unlike traditional phishing or malware campaigns that target users, edge device compromises can allow cybercriminals to bypass user-facing protections entirely. Once inside the network, they can move laterally, steal sensitive data, deploy ransomware, or establish persistent access.
For example, the Indian Computer Emergency Response Team (CERT-In) regularly shares information about vulnerabilities in communication devices and apps. In one such alert on Thursday, CERT-In pointed out a vulnerability in the web-based management interface of Cisco secure network analytics that could allow an authenticated, remote attacker with valid administrative credentials to execute arbitrary commands as root on the underlying operating system. The solution for this is to apply appropriate updates from the Cisco website.
Many users and organisations, especially SMBs, neglect regular firmware updates for routers and firewalls, leaving known vulnerabilities exposed. Cybercriminals often scan the internet for such outdated systems to exploit them remotely.
As hybrid and remote work models expand, VPN usage has surged, often without robust monitoring or proper segmentation, giving attackers more opportunities to sneak through.
Another issue with edge devices is that many users continue to use default or weak credentials. Such devices that are still running on factory-default usernames and passwords are an open invitation for brute-force or credential-stuffing attacks.
Further, poorly configured firewalls or VPNs may unintentionally expose management ports or services to the public internet, allowing cybercriminals to gain control remotely.
More sophisticated or skilled cybercriminals can easily leverage unknown (zero-day) vulnerabilities in edge devices. Such flaws are often exploited before a patch is made available or widely applied. SMBs, as expected, due to a lack of resources, may either not apply the patch or ignore updating the firmware of edge devices.
This brings us to the most crucial question: how to protect your network from these vulnerabilities? While the risks of attack on edge devices are serious, here are a few steps to fortify your defences.
Keep Firmware Updated
Regularly check for updates from device manufacturers and apply them promptly. Subscribe to security advisories, like CERT-In, to stay informed about newly discovered vulnerabilities.
Change Default Credentials Immediately
Always replace default usernames and passwords with strong, unique credentials. Enable account lockout mechanisms to defend against brute-force attempts.
Segment and Restrict Access
Isolate critical systems using network segmentation. Avoid exposing management interfaces to the internet—use VPNs or secure tunnelling protocols instead.
Use Passkeys
Migrate from passwords to passkeys for account credentials. Passkeys are stored digital keys assigned to specific devices and can’t be intercepted by adversary-in-the-middle phishing kits. Passkeys eliminate the need for a user to remember or type a password. Instead, they use a pair of cryptographic keys, including a public key stored on the website or app you are logging into and a private key stored securely on your device, such as your phone, tablet or laptop.
Use Multifactor Authentication (MFA)
Enforce MFA for all remote access, including VPN logins and admin dashboards. This adds an additional layer of protection even if credentials are compromised.
The two steps below are primarily for SMBs but an individual can also follow them with help from an expert.
Monitor and Log Activity
Implement logging and monitoring systems to detect unusual behaviour, such as failed login attempts, sudden changes in configuration or unexpected data transfers.
Audit Device Configuration
Periodically review settings to ensure that no unnecessary ports or services are left open and that firewalls are enforcing the intended rules.
According to Sophos, lifecycle management of all systems, including Internet routers, firewalls, VPN appliances, and Internet-facing applications and servers, is essential to deter a significant percentage of attacks. "Devices left in service without patches or after the end of their support by vendors can act as a beacon for access brokers and ransomware actors who perform wide network scans of the Internet for vulnerable systems to attack."
As the perimeter of the digital world expands, the devices once trusted to protect us are now high-value targets. Whether you are a home user managing a simple Wi-Fi router or an organisation relying on complex firewall systems, vigilance is no longer optional; it is essential. Keeping edge devices secure is not just a matter of good practice. It is a frontline defence in the modern cyberwar.
Stay Alert, Stay Safe!
