The 2024–2025 CVE landscape for commercial network security appliances is characterised by three patterns.
First: WAN-facing management interfaces and deep packet inspection engines are the dominant exploit surface. Every firewall vendor analysed had at least one authentication bypass or remote code execution vulnerability in its management web interface or application-layer parsing engine that was confirmed exploited in the wild. These are not obscure edge cases — they are the primary features vendors advertise.
Second: exploitation velocity is accelerating. CVE-2025-59718 (Fortinet SSO bypass) was exploited within three days of disclosure. CVE-2025-0108 (Palo Alto auth bypass) within days of the February 2025 patch. The window between public disclosure and weaponised exploitation is now measured in hours for high-value targets.
Third: subscription dependency creates a structural failure mode. Multiple SonicWall incidents in this period targeted devices with MFA disabled on locally managed accounts — a configuration that persists after subscription lapse.
| Vendor / Platform | CISA KEV entries (all time) | Exploited CVEs 2024–25 | Highest CVSS | Zero-click / unauth RCE? |
|---|---|---|---|---|
| Palo Alto PAN-OS | Multiple | 4 confirmed | 10.0 | Yes — CVE-2024-3400 |
| SonicWall SonicOS | Highest of any SMB firewall vendor | 5+ confirmed | 9.8 | Yes — CVE-2025-23006 |
| WatchGuard Fireware | 2 (both Dec 2025) | 2 confirmed | 9.3 | Yes — CVE-2025-14733 |
| Fortinet FortiOS | 23 | 6+ confirmed | 10.0 | Yes — multiple |
| FreeBSD base | 0 | 0 confirmed | 10.0 (local only) | No |
| OpenBSD base | 0 | 0 confirmed | N/A to appliance | No — explicitly immune to regreSSHion |
The defining exhibit for the DPI attack surface argument: CVE-2024-3400 — a command injection vulnerability in the GlobalProtect application-layer parsing engine, assigned CVSS 10.0, exploited in the wild by state-sponsored actor UTA0218 (Operation MidnightEclipse) before a patch was available. Post-exploitation persistence techniques were subsequently published that survived factory reset and firmware upgrade on already-compromised devices.
CVE-2024-0012: authentication bypass in the PAN-OS management web interface. Unauthenticated attacker obtains administrator privileges. Exploited as zero-day; attributed to Operation Lunar Peek. Chained with CVE-2024-9474 for full compromise. CVE-2025-0108: exploitation observed within days of the February 2025 patch release.
SonicWall has accumulated more CISA KEV entries than any other SMB-targeted firewall vendor in this period. The subscription-lapse scenario is directly evidenced: CVE-2024-40766 was exploited by Akira ransomware affiliates on devices where MFA was disabled on locally managed SSLVPN accounts — precisely the configuration common in subscription-lapsed deployments.
Real-world impact: the Marquis Software Solutions breach in August 2025 — 74 US banks and credit unions, 400,000+ customers — was attributed to SonicWall firewall exploitation. The specific CVE was unconfirmed but the Akira ransomware playbook matches the CVE-2024-40766 pattern.
CVE-2025-14733: out-of-bounds write in the Fireware OS iked process. Unauthenticated RCE via specially crafted network traffic when IKEv2 VPN is configured. Approximately 125,000 exposed devices identified by Shadowserver scanning. WatchGuard's own advisory acknowledged the exploitation was "part of a wider attack campaign against edge networking equipment and exposed infrastructure from multiple vendors" — confirming coordinated targeting of the UTM attack surface class.
Fortinet has 23 entries in CISA's Known Exploited Vulnerabilities catalogue — the highest count of any security appliance vendor in this analysis. A particularly significant finding published by CISA in April 2025: threat actors exploited prior Fortinet vulnerabilities to plant malicious files in FortiGate devices that survived firmware updates and factory resets. Affected organisations were notified via telemetry; passive read-only access to device configurations had persisted undetected.
The post-exploitation persistence finding deserves particular weight: it demonstrates that patching a Fortinet device does not guarantee removal of an existing compromise. This is qualitatively different from the other vendors in this analysis.
The regreSSHion OpenSSH RCE (CVE-2024-6387) that was a genuine critical threat on glibc-based Linux systems was not exploitable as RCE on FreeBSD — the Qualys advisory explicitly states the RCE path requires glibc's async-signal-unsafe syslog() implementation.
OpenBSD is explicitly immune. The Qualys advisory states: "OpenBSD is notably not vulnerable, because its SIGALRM handler calls syslog_r(), an async-signal-safer version of syslog() that was invented by OpenBSD in 2001." The vulnerability existed because other operating systems failed to adopt OpenBSD's twenty-three-year-old defensive implementation.
A professional services firm with a SonicWall TZ370 or WatchGuard Firebox T45 at their network boundary, and a Synology or QNAP NAS on the LAN, has both their network perimeter and their backup data simultaneously exposed to the vulnerability classes documented above.
The network boundary device has a management interface that is an authenticated (or unauthenticated) RCE target. The NAS has a cloud relay feature (QuickConnect, myQNAPcloud) that provides direct internet accessibility to the device independent of what the firewall permits.
The Divergent Byte two-box stack — Transparent Firewall (OpenBSD) at the boundary, Secure Time Portal (FreeBSD, no cloud relay, no management web interface) on the LAN — eliminates both exposure classes.
Founder, Divergent Byte Ltd
divergentbyte.com
Islington, London · April 2026
CC BY 4.0
Sources: NVD/NIST · CISA KEV catalogue · Palo Alto PSIRT · SonicWall PSIRT · WatchGuard advisories · Fortinet PSIRT · Qualys regreSSHion advisory · Rapid7 · WatchTowr · Bishop Fox · Midnight Blue · Arctic Wolf · Shadowserver Foundation.
See also: Transparent Open Firewall → We Need Extra Friday Double Maths →