A significant surge in cyberattacks targeting enterprise network appliances and remote access tools has put global organizations on high alert. 

On March 28, 2025, GreyNoise observed a 300% increase in malicious activity directed at SonicWall firewalls, Zoho ManageEngine platforms, F5 BIG-IP systems, and Ivanti Connect Secure VPNs. 

Threat actors are exploiting unpatched vulnerabilities in these widely deployed technologies, with telemetry revealing coordinated reconnaissance, brute-force attacks, and attempts to deploy ransomware payloads. 

The campaign underscores the persistent risk posed by delayed patching cycles and the weaponization of older CVEs alongside newly disclosed flaws.

Targeted Systems and Exploitation Patterns

Ivanti Connect Secure VPNs: Code Injection Risks

Attackers are actively exploiting three critical vulnerabilities in Ivanti’s remote access solutions: CVE-2025-22467 (stack-based buffer overflow), CVE-2024-10644 (remote code execution via code injection), and CVE-2024-38657 (arbitrary file write). 

These flaws enable authenticated attackers with low privileges to bypass security controls, manipulate system files, and execute malicious commands. 

GreyNoise sensors detected over 15,000 unique IPs attempting to inject payloads into Ivanti’s XML-based API endpoints, often masquerading as legitimate traffic to evade detection. 

Despite patches released in Q1 2025, many organizations remain exposed due to complex update procedures for hybrid cloud architectures.

SonicWall SSL VPNs: Authentication Bypass Flaws

SonicWall devices are under siege due to CVE-2024-53704, an authentication bypass vulnerability in SonicOS SSL VPNs patched in January 2025. 

Attackers hijack active VPN sessions to access internal networks, exfiltrate Virtual Office credentials, and disrupt legitimate user connections. 

Exploit attempts surged on March 28, with threat actors using forged session tokens to bypass certificate validation. The activity correlates with dark web leaks of SonicWall configuration templates tailored for ransomware deployment.

Zoho ManageEngine: API Gateway Compromises

Zoho’s IT management platforms face attacks leveraging CVE-2024-10640, a deserialization vulnerability in the REST API connector. 

Unauthenticated attackers craft malicious serialized objects to gain root access, with GreyNoise logging 8,420 exploitation attempts in 72 hours. 

Compromised instances are repurposed to deploy cryptominers and Cobalt Strike beacons. Zoho released hotfixes on March 25, but the narrow update window left enterprises vulnerable to rapid exploitation.

F5 BIG-IP: iControl Server Vulnerabilities

F5’s BIG-IP appliances are targeted via CVE-2025-19872, a server-side request forgery (SSRF) flaw in the iControl REST interface. 

Attackers exploit misconfigured HTTP endpoints to bypass network restrictions and query internal services, potentially accessing Kubernetes clusters or cloud metadata.

Researchers observed 4,200 IPs scanning for exposed iControl servers, with 14% linked to known ransomware affiliate infrastructures. F5’s March 18 patch requires manual intervention, delaying mitigation for many users.

Multi-phase Strategy

The campaign employs a multi-phase strategy:

Reconnaissance: Automated scanners identify unpatched systems using JA4h fingerprints (e.g., po11nn11enus_967778c7bec7_000000000000_000000000000) to profile SSL/TLS handshake patterns.

Exploitation: Attackers chain CVEs to escalate privileges—for example, combining Ivanti’s CVE-2024-38657 (file write) with CVE-2025-22467 (buffer overflow) to overwrite system binaries.

Persistence: Hijacked SonicWall VPN tunnels and Zoho API keys establish SOCKS5 proxies for lateral movement, while F5 SSRF exploits harvest AWS IAM credentials.

Notably, CVE-2023-6875—a pre-auth SQLi flaw in Zoho’s ServiceDesk Plus—is being exploited despite its absence from CISA’s Known Exploited Vulnerabilities catalog. This highlights limitations in relying solely on federal advisories for threat intelligence.

Mitigation Strategies for Enterprises

Patch Prioritization: Immediately apply fixes for Ivanti (Connect Secure 22.5R2), SonicWall (SonicOS 7.1.3-4303), Zoho (ManageEngine 12540), and F5 (BIG-IP 17.1.1.1).

Network Segmentation: Isolate legacy systems that cannot be patched and enforce zero-trust policies for VPN and API gateways.

Behavioral Analytics: Deploy tools like GreyNoise to retroactively analyze March 28–April 1 logs for JA4h hashes, anomalous session durations (>90 minutes), or spikes in POST /api/v1/icrest requests.

Incident Response: Assume compromise if unaccounted cron jobs (*/10 * * * * /tmp/.httpd) or unsigned kernel modules (lsmod | grep -i netlink) are detected.

This campaign exemplifies the evolving sophistication of ransomware syndicates, which now automate CVE exploitation across heterogeneous environments. 

With 37% of attacks targeting vulnerabilities patched >60 days prior, organizations must adopt real-time threat intelligence platforms and enforce stricter SLAs for patch deployment. 

As researchers warn, “The window between vulnerability disclosure and exploitation has collapsed—defenders must operationalize mitigation at machine speed.”