Cybersecurity researchers have reported a sharp increase in brute force login attempts targeting edge security devices. The Shadowserver Foundation, a threat monitoring group, identified the surge in attacks, which began in mid-to-late January, and linked it to a suspected botnet. According to the company, the attack campaign used more than 2.8 million source IP addresses per day at its peak.
The targeted devices included those from Palo Alto Networks, SonicWall, and Ivanti. Unlike routine reconnaissance scans, the attackers made repeated login attempts to compromise systems. More than 1.1 million of the attacking IP addresses originated from Brazil, with additional sources detected in the US, Canada, Turkey, Russia, Argentina, Morocco, and Mexico.
Vulnerabilities in edge devices
The attack highlighted security risks associated with edge devices, including firewalls, VPNs, and network gateways, which require internet exposure to function. “They also often run services (such as VPN) that must be exposed, and these are not immune to bugs and remote exploits,” wrote Gartner’s VP analyst Charlie Winckless in an email to Cybersecurity Dive. Attackers targeted weak authentication through credential stuffing, particularly when devices lacked multi-factor authentication (MFA) and context-based security controls, despite being patched.
The US Cybersecurity and Infrastructure Security Agency (CISA) monitored the attack and coordinated with cybersecurity partners to assess the threat. “CISA is engaged with Shadowserver and other relevant partners on edge device attack paths,” an agency spokesperson told Cybersecurity Dive. “If necessary, we will notify any at-risk entities and provide guidance in coordination with our partners.”
A critical vulnerability affecting SonicWall SMA 1000 series appliances, identified as CVE-2025-23006, was actively exploited during the attack. The flaw allowed attackers with internal access to take control of affected devices. The attackers leveraged the vulnerability as part of their broader effort to compromise edge security appliances. The attacks were carried out using compromised networking and Internet of Things (IoT) devices, including routers from MikroTik, Huawei, Cisco, Boa, and ZTE. Many of these devices had been hijacked by large-scale malware botnets.
Shadowserver’s analysis indicated that the attacking IP addresses were spread across multiple networks and autonomous systems, suggesting the involvement of a botnet or residential proxy network. Residential proxy networks played a role in obscuring the attack. According to BleepingComputer, these networks allow cybercriminals to route malicious activity through residential IP addresses, making it appear that the traffic originates from legitimate users. Compromised edge devices may have been used as proxy exit nodes, routing attack traffic through enterprise networks. Such methods make detection and mitigation more difficult for cybersecurity teams.
Cybersecurity experts advised organisations to change default administrator passwords, enforce MFA, limit remote access to trusted IP addresses, and disable unnecessary web administration interfaces. Regular firmware updates and security patches remained essential to addressing vulnerabilities.
Read more: Ivanti patches high-severity vulnerabilities in CSA after exposure of critical flaws
