Edge Under Siege: How State-Sponsored Actors Exploit Your Perimeter

By TrendAI Threat Research

For many years, the front door to large enterprises and government organizations for state-sponsored actors was phishing. This has now changed: Edge devices, such as VPN gateways, firewalls, and network appliances, have increasingly become a primary target as an initial access vector for state-sponsored espionage operations. This shift is not temporary and reflects a strategic recalculation by adversaries who identify and exploit the least-defended, high-value assets on enterprise networks: unmanaged edge infrastructure.

This report analyzes publicly available studies on vulnerability trends from 2024 to date, along with threat actor operations, economic drivers, and leaked operational data, to explain why edge devices are being systematically targeted and what CISOs and security leaders must know to respond.

Our key takeaways include the following:

• Edge devices are now one of the most common initial access vectors for state-sponsored espionage. Publicly available data shows that exploitation increased from 3% to 22% of all exploitation incidents in a single year. We assess this to be a structural shift rather than an anomaly.
• Attacker economics are overwhelmingly favorable towards exploiting edge devices. Edge device exploits cost US$30,000 – US$100,000, which is one-third to one-tenth the cost of browser or mobile exploits while enabling broad network access, credential harvesting, and traffic interception. Meanwhile, it takes defenders an average of 30 days to patch, while attackers weaponize patches within hours. For further details, see Appendix B: Vulnerability Broker Pricing in our report.
• China-aligned actor groups operate as a coordinated ecosystem. Multiple threat actors (e.g., UNC5221, Earth Estries aka Salt Typhoon, Volt Typhoon) share tooling, divide targets, and probably benefit from state-directed vulnerability pipelines. We do not view this as an isolated activity, as it appears strategic, scaled, and is accelerating.
• Edge devices are blind spots by design. They cannot run endpoint detection and response (EDR) and offer limited logging. Additionally, patching them requires downtime that organizations are reluctant to schedule. As closed systems, they are also very hard to work with during forensic analysis and examination.
• AI will accelerate this threat. Financially motivated actors are adopting these techniques, too, with new vendors being targeted and threat actors increasingly using AI tools to discover vulnerabilities at scale and to automate exploit development. The window between patch release and active exploitation is collapsing from weeks to hours. 

This report is a threat landscape analysis for CISOs and security leaders rather than a vulnerability advisory. Based on publicly available data, we examine why edge devices have become the preferred entry point for espionage operations, who is exploiting them at scale, and what defenders can realistically do given the structural constraints. The appendix provides technical depth, including indicators of compromise (IoCs), exploit economics, and forensic artifacts from an active operator workstation.

Why Edge Devices Are Under Attack

Edge device exploitation rose from 3% to 22% of all vulnerability exploitation breaches in a single year, an eightfold increase documented in the Verizon 2025 DBIR. Recorded Future’s H1 2025 report showed that 53% of exploitation activity was state-sponsored, with edge appliances accounting for 17% of all actively exploited CVEs.

We do not view this as a temporary spike, but as a strategic recalculation by adversaries. As endpoint security has matured with EDR, multifactor authentication (MFA), and application allow-listing, attackers have shifted to assets on the network that have the highest value but the least defense. These assets are also the hardest to monitor efficiently.

Why edge devices? Edge devices sit at the boundary between an organization’s internal network and the internet. They serve as VPN concentrators, firewalls, web application firewalls (WAFs), and access gateways. Compromising one provides attackers with the following:

• Networkwide visibility: This includes access to inbound/outbound traffic, internal topology, and user activity.
• Credential harvesting: LDAP/Active Directory integration means domain credentials are accessible post-compromise.
• Trust exploitation: Edge devices are listed in security policies and usually are trusted; traffic from them might be allowed as legitimate to other critical systems within the network. Attackers can use it for further pivoting and lateral movement within the network.
• Proxy infrastructure: Compromised devices can become relay points for command-and-control (C&C) communications and pivots into partner networks or other systems, effectively becoming part of an Operational Relay Box (ORB) network.

At the same time, they are uniquely difficult to defend:

• No EDR support: Stripped-down or proprietary operating systems cannot run standard security agents. Vendor-provided monitoring is typically limited to system logging.
• Patching friction: Updates require downtime, testing, and maintenance windows that organizations are reluctant to schedule.
• Limited forensic visibility: Many edge devices operate on in-memory file systems. A reboot can erase all evidence of compromise.
• Direct internet exposure: They are discoverable and reachable, forming the primary external attack surface.

The combination of high strategic value and low defensive coverage makes edge devices the optimal target for espionage operations.

Key Metrics

Table 1. General dynamics of vulnerability exploitation and mitigation, based on publicly available sources

Exploitation Trends: 2024 – 2026

Between 2024 and 2026, state-sponsored actors exploited critical vulnerabilities across most major edge device vendors. The table below summarizes the key incidents.

Table 2. Edge device vulnerabilities exploited in 2024 to date
Note: The information in this table is solely based on publicly disclosed information and does not account for undisclosed vulnerabilities that have been exploited in the wild.

Several patterns emerge from the data. China-aligned groups appear to dominate, accounting for at least seven of 10 major campaigns. The exploitation window is shrinking: The time to exploit averaged two to four weeks post-patch, but GreyNoise's 2026 report noted that this window “has effectively collapsed” to days. Attackers are also reverse-engineering exploits from artifacts collected in the wild, weaponizing them independently of original disclosure. Ivanti has been hit particularly hard, suffering four separate campaigns within 18 months. See Appendix A for more details about Ivanti-targeting activities.

Moreover, the targeting spans all major vendors, with authentication bypass, memory corruption, and path traversal vulnerabilities exploited across the board. The impact can be seen globally. According to TeamT5, Ivanti exploitation alone affected victims across 12 countries: Austria, Australia, France, Spain, Japan, South Korea, the Netherlands, Singapore, Taiwan, the UAE, the UK, and the US. TrendAI telemetry corroborates these findings. Telecommunications, government, defense, and technology sectors were affected significantly.

Economic Analysis: Why Edge Devices Are Targeted

Edge device exploitation will persist because the economics overwhelmingly favor attackers. It is not just technically convenient, but also the most cost-effective path to strategic intelligence collection. Pwn2Own data from TrendAI’s Zero Day Initiative (ZDI) shows that offensive brokers pay 20 – 40 times more over coordinated disclosure prices for mobile exploits, but only two to five times more for edge device exploits. This confirms that edge vulnerabilities are structurally underpriced relative to their strategic value, making them especially attractive to cost-conscious state actors. For detailed analysis, refer to Vulnerability Broker Pricing in our appendix.

Vulnerability Pricing

TrendAI’s ZDI — the world’s largest vendor-agnostic coordinated disclosure program — provides transparent pricing benchmarks through its annual Pwn2Own competitions. These figures reflect what researchers earn for reporting vulnerabilities responsibly to vendors. For comparison, nondefensive exploit acquisition markets operate in parallel, paying a structured premium to acquire the same vulnerabilities without vendor disclosure, keeping them secret and weaponizable for state-sponsored operations. Table 3 shows the pricing of exploits, based on public broker pricing and industry reporting. Our appendix contains a case study on pricing breakdown.

Coordinated disclosure market (ZDI Pwn2Own benchmark):

Table 3. ZDI's Pwn2Own historical pricing

Table 4. Offensive exploit acquisition market

Based on Tables 3 and 4, two patterns stand out:

• Offensive acquisition markets pay 20 to 40 times the coordinated disclosure rate for mobile exploits, but only 2 to 5 times for edge devices. The difference is that pricing is driven by a complexity of exploitation (mobile vs. embedded devices), the relative ease of vulnerability discovery, and market demand. Pricing for enterprise edge devices would be higher, but consumer/prosumer models already represent a major attack surface. This confirms that edge device vulnerabilities are structurally underpriced relative to their strategic value in the attacker’s economy.
• While a mobile exploit costs millions and compromises one device, an edge device exploit at US$50,000 – US$100,000 yields access to an entire organization’s network, credentials, and traffic. The price-to-access ratio for edge devices is unmatched across any other target category.

China’s Vulnerability Supply Chain

On the open market, these prices make edge exploits attractive. In China, state-directed vulnerability programs drive costs even lower. China’s 2024 Network Data Regulations require 24- or 48-hour mandatory vulnerability reporting to state authorities, depending on the seriousness of the vulnerability. The Nvwa (女娲) Project and similar platforms, which operated in the past, offered payouts of RMB 50,000 – RMB 200,000 (USD 7,000 – USD 28,000) for edge device RCE. Note that this information uses solely historical data, as there is no up-to-date information on vulnerability supply chain pricing available in the open domain. Additionally, due to recent regulation changes in China, many of those programs are no longer publicly visible. However, we assess that these changes effectively nationalize vulnerability discovery, most likely giving state-aligned groups access to a steady supply of affordable and expendable exploits.

This explains the pattern of rapid burning of Ivanti, Palo Alto, and Fortinet zero-days throughout 2024 and early 2026. These exploits are cheap enough to use widely and then discard, rather than carefully preserving them for high-value, single-use operations.

The attacker’s economics are favorable, but the defender’s are not. Organizations face high costs when patching edge devices. VPN downtime affects remote workers, common security solutions are not present on edge devices, and even collecting forensic evidence from edge devices is not always straightforward. Testing is required to avoid breaking production, and maintenance windows must be coordinated across teams. This cost-benefit calculation routinely results in delayed patching, creating a remediation window of at least 30 days that attackers exploit through patch difference analysis and rapid weaponization.

The attacker’s economics are simple. A US$100,000 exploit targeting 33,000 Ivanti installations, with even 100 successful compromises, costs US$1,000 per victim. A phishing campaign targeting the same organizations probably costs more per success and yields far less immediate access.

The Threat Actors: A Coordinated Ecosystem

Multiple China-aligned APT groups target edge devices systematically. The breadth and coordination suggest some level of coordination and are not entirely independent campaigns by different actor groups.

• UNC5221 is one of the most prolific edge device exploitation groups. They are responsible for repeated zero-day campaigns against Ivanti and Citrix NetScaler since late 2023. The group deploys the SPAWN malware ecosystem, purpose-built tools for persistence, tunneling, and log wiping on compromised appliances. Appendix C covers additional activity linked to UNC5221, including incidents others have attributed to the North Korean-aligned Kimsuky group that we assess are more likely tied to UNC5221.
• Earth Estries (Salt Typhoon) conducts the largest documented edge device campaign, breaching over 600 organizations across 80 countries since 2019. The group focuses heavily on telecommunications providers, including multiple U.S. carriers, in October 2024. The US Treasury sanctioned an affiliated Chinese company in January 2025.
• Volt Typhoon pursues a distinct mission of prepositioning for infrastructure disruption rather than traditional espionage. The group targets US critical infrastructure by compromising SOHO routers as proxy infrastructure, using living-off-the-land (LOTL) techniques exclusively. The US intelligence community assesses this as preparation for disruptive operations in a Taiwan contingency.

Together, these groups demonstrate what looks like a coordinated effort: UNC5221 provides rapid exploitation capability, Earth Estries conducts large-scale intelligence collection, and Volt Typhoon prepares for potential disruption. The shared targeting of edge devices reflects strategic prioritization that goes beyond individual group operations.

Detection and Mitigation

The combination of limited visibility, patching friction, and high strategic value makes edge devices uniquely challenging to defend. Organizations should focus on four areas: strategic controls, closing the patching gap, detection, and incident response.

Strategic Controls

• Start with visibility. Maintain a continuously updated inventory of all edge devices, firmware versions, and patch status. Without full visibility, exposure cannot be assessed. Attack surface management tools can automate discovery and risk-based prioritization. TrendAI Vision One – Cyber Risk Exposure Management provides attack surface discovery and risk-based prioritization, enabling teams to identify unmanaged edge devices and direct remediation where it matters most.
• Conduct network segmentation. Where possible, place edge devices in isolated DMZs with strict firewall rules. This limits lateral movement and prevents attackers from exploiting trust relationships if a device is compromised.
• Perform external monitoring. Automate monitoring with systems like Censys, Shodan, or TrendAI Vision One - External Attack Surface Management to detect potentially suspicious, externally facing services.
• Set up proactive edge device monitoring. Establish event and network traffic monitoring for edge devices where possible. Investigate any suspicious activity.

Closing the Patching Gap

The 30-day average remediation window is the core vulnerability defenders must address. Two approaches help:

• Virtual patching: When immediate patching is not feasible, deploy virtual patching through IPS to shield vulnerable devices. TrendAI TippingPoint™ provides network-based virtual patching that blocks exploitation attempts targeting known CVEs. This buys time while maintenance windows are scheduled. This is powered by the unmatched TrendAI Zero Day Initiative (ZDI), which was responsible for the disclosure of 73% of all zero-day vulnerabilities monitored by OMDIA in 2025.
• Rapid patching process: Establish emergency procedures targeting 48-hour remediation for critical edge device CVEs.

Detection Strategies

Edge devices require dedicated monitoring strategies:

• Certificate monitoring: Some attackers deploy backdoors using self-signed or attacker-controlled certificates. Monitor for unexpected certificates on edge devices.
• File integrity monitoring: Check for unexpected, shared libraries, and recently modified files in system directories. For Ivanti devices, examine /lib, /usr/lib, /data directories for recently modified files.
• Log analysis: Look for authentication successes without corresponding VPN connections, large off-hours data transfers, and internal RDP/SMB connections originating from edge device addresses.
• Memory forensics: Capture memory from edge device web server processes to detect in-memory implants that leave no disk artifacts.

Mitigation strategies

If a compromise is suspected, conduct the following:

1. Forensic collection: Collect and preserve all available artifacts from the suspected device before any remediation.
2. Factory reset: Where supported, perform a full factory reset and rebuild from a known-good image.
3. Credential rotation: Reset all AD credentials, service accounts, and local user passwords. Review system configuration for suspicious changes.
4. Certificate review: Inspect all TLS certificates and flag any unrecognized entries

Conclusion

Edge devices have become the primary initial access vector for sophisticated adversaries because the economics favor attackers, and defenders have not adapted. Organizations must stop treating these assets as networking equipment outside the security program. They require dedicated monitoring, accelerated patching, and architectural controls commensurate with their strategic value and their risk.

For more technical details please see our Appendix.