A global brute force attack campaign leveraging 2.8 million IP addresses actively targets edge security devices, including VPNs, firewalls, and gateways from vendors such as Palo Alto Networks, Ivanti, and SonicWall.
The attack, first detected in January 2025, has been confirmed by The Shadowserver Foundation, a nonprofit cybersecurity organization.
First detected in January 2025, the attack has intensified in recent weeks, with threat actors attempting to breach login credentials across exposed network infrastructure.
Attack Overview
Brute force attacks involve repeated attempts to guess usernames and passwords until valid credentials are discovered. Once compromised, devices can be hijacked for unauthorized network access, data theft, or integration into botnets.
According to threat intelligence firm Shadowserver Foundation, this campaign employs 2.8 million unique IPs daily, with over 1.1 million originating from Brazil, followed by Turkey, Russia, Argentina, Morocco, and Mexico.
The attacking IPs are distributed across residential proxy networks and compromised devices, including MikroTik, Huawei, and Cisco routers, likely orchestrated by a large botnet.
The attacks focus on edge devices critical for remote access, such as:
- VPN gateways (Palo Alto Networks GlobalProtect, SonicWall NetExtender)
- Firewalls (Ivanti, Fortinet)
- Routers and IoT appliances.
These devices are often internet-facing, making them prime targets. Compromised systems risk becoming proxy nodes for further attacks, enabling threat actors to mask malicious traffic as legitimate user activity.
Shadowserver CEO Piotr Kijewski confirmed the attacks involve actual login attempts, not mere scanning, increasing the likelihood of credential theft.
This campaign follows a pattern of escalating brute force activity. In April 2024, Cisco reported similar attacks targeting VPNs from Check Point, Fortinet, and Ubiquiti, often routed through TOR exit nodes and proxy services.
Recent vulnerabilities in Ivanti (CVE-2024-8190) and SonicWall (CVE-2025-23006) further highlight risks, with unpatched devices susceptible to exploitation.
In response to rising threats, Five Eyes cybersecurity agencies (CISA, NCSC, etc.) issued guidance urging manufacturers to improve logging and default security for edge devices.
Their advisory emphasizes eliminating default passwords and ensuring firmware supports real-time threat detection.
As brute force attacks grow in scale and sophistication, organizations must prioritize securing edge devices—often the first line of defense.
With 2.8 million IPs weaponized daily, the campaign highlights the urgent need for MFA, rigorous patch management, and network segmentation. Shadowserver warns that attacks are likely to persist, targeting additional vendors and regions.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free