TL;DR: Cisco firewall flaws, SonicWall VPN abuse, SVG phishing, and exposed healthcare databases show a common pattern: attackers exploit entry points, then move laterally, disable protections, and steal data, according to ColorTokens. The decisive control is limiting blast radius, because perimeter failure becomes survivable only when internal movement is contained.
NHIMG editorial — based on content published by ColorTokens: Ransomware Protection Advisory: From Cisco Flaws to SonicWall Breaches
By the numbers:
- The U.S. government even issued an emergency directive, urging agencies to patch or disconnect vulnerable devices within 24 hours.
Questions worth separating out
Q: What breaks when a compromised VPN or firewall account still has broad internal access?
A: A single exposed credential or device can become a full breach when it can reach backup servers, directory services, and endpoint management tools without friction.
Q: Why do stolen credentials and OTP seeds still defeat MFA in real incidents?
A: MFA fails when the attacker already controls the secret material that the second factor depends on.
Q: What do security teams get wrong about lateral movement prevention?
A: They often treat lateral movement as a detection problem when it is also a design problem.
Practitioner guidance
- Reduce exposed edge access immediately Inventory internet-facing VPN, firewall, and remote administration services, then prioritize patching, isolation, or removal for anything still reachable from the public internet.
- Reset and rotate credentials tied to VPN and MFA recovery Force credential resets where OTP seeds, reused passwords, or recovery factors could have been harvested in prior incidents.
- Segment backup, directory, and endpoint-management paths Place backup servers, directory services, and endpoint control planes into tighter network and identity boundaries so a compromised session cannot reach them by default.
What's in the full article
ColorTokens' full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance on containing lateral movement with microsegmentation across hybrid environments.
- Specific remediation actions for Cisco ASA/FTD and SonicWall VPN exposure, including prioritisation logic.
- Practical indicators for spotting post-compromise activity such as RDP, SMB, BloodHound, Impacket, and dsquery usage.
- Examples of how the advisory connects internal visibility gaps to ransomware spread and data theft.
👉 Read ColorTokens' ransomware protection advisory on Cisco flaws and SonicWall breaches →
Lateral movement and VPN exposure: what security teams need to do?
Explore further
Perimeter compromise is now an identity problem, not just a network problem. When VPNs and firewalls remain exposed, they become trusted authentication paths into the enterprise, and that trust is exactly what attackers convert into lateral movement. The control question is no longer whether the edge can be attacked, but whether identity-bound access inside the environment is narrowly enough scoped to fail safely. Practitioners should treat exposed remote access as a cross-domain IAM and resilience issue, not a siloed infrastructure ticket.
A few things that frame the scale:
- 28.65 million new hardcoded secrets were detected in public GitHub commits in 2025 alone, a 34% year-over-year increase and the largest single-year jump ever recorded, according to The Secret Sprawl Challenge.
- 28% of secrets incidents now originate outside code repositories, in Slack, Jira, and Confluence, and are 13% more likely to be categorised as critical than code-based leaks.
A question worth separating out:
A: They should combine rapid edge remediation with internal compartmentalisation. Patch or disconnect exposed devices, then isolate backup, identity, and management systems so compromised access cannot cascade. That approach reduces the chance that one breach path becomes a multi-system incident.
👉 Read our full editorial: Ransomware resilience depends on stopping lateral movement, not just entry