Exploited TP-Link and Ivanti Edge Devices Prompt Replacement Warnings
Finnish cybersecurity authorities warned that internet-facing edge devices are being actively exploited by state-backed actors, citing intrusions involving Ivanti Connect Secure and Policy Secure appliances as well as older TP-Link home routers and access points. In the Ivanti cases, five vulnerabilities were disclosed and three were reported as actively exploited, prompting Finland’s National Cyber Security Centre to contact hundreds of owners of exposed devices. A joint warning from international authorities said attackers could remain hidden for long periods, while Ivanti’s detection tool might miss compromises and even factory resets or software updates might not fully remove attacker access.
Authorities also reported that Russia-linked threat actors exploited TP-Link devices affected by CVE-2023-50224 for cyber espionage, with public reporting tying the activity to credential theft, DNS manipulation, and traffic hijacking. TP-Link said many affected consumer models are end-of-life and no longer receive normal security support, leaving most without a full patch and only a few with partial fixes. TP-Link and the Finnish Cyber Security Centre urged organizations and consumers to replace unsupported devices, apply the latest available firmware where possible, disable remote management, limit legacy equipment to trusted internal networks, and watch for abnormal DNS changes.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
TP-Link and Finnish NCSC urge replacement of outdated devices
TP-Link and Finland’s Cyber Security Centre recommended replacing unsupported legacy routers with supported models. For devices that must remain in use, they advised installing the latest firmware, disabling remote management, limiting exposure to trusted internal networks, and monitoring for abnormal DNS changes.
TP-Link releases limited fixes for vulnerable legacy routers
After the exploitation was reported, TP-Link released security fixes for some affected home router and access point models. The company said many impacted devices were end-of-life and would not receive full patches, leaving only a few models with partial fixes.
Finnish authorities report espionage-linked exploitation of TP-Link routers
Finnish authorities reported that Russia-linked threat actors had exploited vulnerable TP-Link home router models for cyber espionage. Public reporting linked exploitation of CVE-2023-50224 to credential theft, DNS manipulation, and traffic hijacking.
Ivanti discloses new Connect Secure and Policy Secure flaws
Ivanti disclosed multiple new vulnerabilities affecting Ivanti Connect Secure and Ivanti Policy Secure, including the critical stack-based buffer overflow CVE-2025-22467. The company said Connect Secure 22.7R2.5 and earlier and Policy Secure 22.7R1.2 and earlier were affected, with fixes released in versions 22.7R2.6 and 22.7R1.3, and reported no observed exploitation at the time of disclosure.
SonicWall discloses five firewall flaws and releases patches
SonicWall disclosed five vulnerabilities affecting Gen 6, Gen 6.5, Gen 7, and TZ80 firewall products and released software updates to address them. The flaws included authentication bypass, predictable cryptographic tokens, SSRF in the SSH management interface, and potential code execution or administrative compromise, prompting guidance to patch immediately and restrict internet-facing SSLVPN access if updates were delayed.
Finnish NCSC warns of active Palo Alto GlobalProtect breaches
Finland’s National Cyber Security Centre warned that Palo Alto Networks GlobalProtect products were being actively exploited via CVE-2024-3400, with the first confirmed breach observations also seen in Finland. The agency said exploitation began before patches were released, earlier mitigation guidance was no longer sufficient, and organizations should immediately patch and investigate devices for compromise.
CISA and partner countries issue joint Ivanti warning
CISA and international partners published a joint warning stating that Ivanti’s detection tool might miss compromises and that skilled attackers could remain hidden for long periods. Organizations were urged to reassess continued use of affected products and review the security of critical edge devices.
Finnish NCSC contacts exposed Ivanti device owners
Finland’s National Cyber Security Centre contacted hundreds of owners of internet-exposed Ivanti devices about the vulnerabilities and active exploitation. Authorities warned that compromises could persist even after factory resets or software updates.
Five Ivanti vulnerabilities disclosed, three exploited in attacks
In early 2024, five vulnerabilities were disclosed in Ivanti Connect Secure and Policy Secure products, with three reported as actively exploited by state-backed threat actors. The flaws affected internet-exposed edge devices and raised concerns about persistent compromise.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Kyberturvallisuuskeskuksen viikkokatsaus - 15/2026 | Traficom
kyberturvallisuuskeskus.fi
Open sourceKyberturvallisuuskeskuksen viikkokatsaus - 15/2026 | Kyberturvallisuuskeskus
kyberturvallisuuskeskus.fi
Open sourceKriittisiä haavoittuvuuksia Ivanti Connect Secure ja Ivanti Policy Secure | Traficom
kyberturvallisuuskeskus.fi
Open sourceSonicWall julkaisi päivityksiä palomuureissa havaittuihin kriittisiin haavoittuvuuksiin | Traficom
kyberturvallisuuskeskus.fi
Open sourceTietomurtoja Palo Alto GlobalProtect-tuotteisiin - vaatii välittömiä toimia | Traficom
kyberturvallisuuskeskus.fi
Open sourceRiskialttiit verkon reunalaitteet aktiivisten murtoyritysten kohteena | Traficom
kyberturvallisuuskeskus.fi
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mirai Botnet Operators Probe EoL TP-Link Routers via CVE-2023-33538
Attackers are actively scanning for **CVE-2023-33538**, a command injection flaw in end-of-life TP-Link routers including **TL-WR940N**, **TL-WR740N**, and **TL-WR841N**, in an apparent effort to deploy a Mirai-based Condi botnet variant. Researchers observed malicious requests targeting the `/userRpm/WlanNetworkRpm.htm` interface, abusing SSID-related parameters to fetch an ELF payload such as `arm7` from **51.38.137[.]113** and connect infected devices to infrastructure including **cnc.vietdediserver[.]shop** and **bot.ddosvps.cc**. The activity followed CISA’s addition of the flaw to its Known Exploited Vulnerabilities catalog, underscoring continued attacker interest in legacy edge devices. Palo Alto Networks Unit 42 and other researchers said the vulnerability is real, but the exploitation attempts seen so far were unsuccessful because the campaigns used flawed tradecraft: they lacked valid authentication to the router web interface, targeted incorrect parameters, and relied on tools such as `wget` that are not present in the routers’ constrained BusyBox environments. TP-Link said the affected products are no longer supported and will not receive patches, leaving replacement of the devices and elimination of default or weak administrative credentials as the primary mitigations.
Apr 21, 2026
TP-Link Omada Gateway Vulnerabilities Allow Remote Code Execution
TP-Link has released security updates to address four critical vulnerabilities affecting its Omada gateway devices, with two of these flaws enabling remote code execution. The most severe of these vulnerabilities, CVE-2025-6542, carries a CVSS score of 9.3 and allows remote unauthenticated attackers to execute arbitrary commands on the device's underlying operating system. Another critical flaw, CVE-2025-6541, is an operating system command injection vulnerability that can be exploited by attackers with access to the web management interface. CVE-2025-7850, also with a CVSS score of 9.3, requires possession of an administrator password to exploit, but similarly allows arbitrary command execution. The fourth vulnerability, CVE-2025-7851, involves improper privilege management and could enable attackers to obtain a root shell under certain conditions. Affected models include ER8411, ER7412-M2, ER707-M2, ER7206, ER605, ER706W, ER706W-4G, ER7212PC, G36, G611, FR365, FR205, and FR307-M2, with specific firmware versions listed as vulnerable. TP-Link has advised all users of impacted devices to immediately update to the latest firmware versions to mitigate these risks. The company also recommends verifying device configurations after upgrading the firmware to ensure security settings remain intact. There is currently no evidence that these vulnerabilities have been exploited in the wild, but the critical nature of the flaws and the potential for remote, unauthenticated exploitation make prompt patching essential. The vulnerabilities could allow attackers to gain full control over affected devices, potentially enabling lateral movement within networks or use of the devices as a foothold for further attacks. The flaws were disclosed in a coordinated manner, and TP-Link responded by releasing patches and advisories to inform customers. Security researchers have highlighted the risk posed by these vulnerabilities, especially in environments where Omada gateways are used to manage network traffic and security. Organizations using these devices should prioritize patching and review their network segmentation to limit potential exposure. The vulnerabilities underscore the importance of regular firmware updates and strong administrative credential management for network infrastructure devices. TP-Link's advisory provides detailed instructions for identifying affected models and applying the necessary updates. The disclosure has prompted renewed attention to the security of network gateways and the need for ongoing vigilance in monitoring for new vulnerabilities. Security teams are urged to monitor for signs of compromise and to ensure that all network devices are included in vulnerability management programs. The incident serves as a reminder of the critical role that timely patching plays in defending against remote exploitation threats.
Mar 21, 2026
APT28 Hijacked SOHO Routers to Redirect Traffic and Support Espionage
British and U.S. officials said hackers linked to Russia’s GRU, including **APT28**/**Fancy Bear** and assessed as tied to **Unit 26165**, have run a broad campaign compromising home, small-office, ISP, and business edge devices to spy on targets and steal data. Authorities said the operators abused weak or default **SNMP** community strings, outdated `SNMPv2` deployments, and known vulnerabilities in routers and firewalls, including some **TP-Link** devices, to gain access and persist on internet-facing infrastructure worldwide. Once inside, the attackers altered router configurations to reroute traffic through infrastructure they controlled, enabling surveillance, credential interception, network mapping, and adversary-in-the-middle activity such as **DNS** manipulation and redirection to fraudulent sites. Recent reporting said investigators disrupted a Russia-backed espionage network spanning roughly **18,000 devices**, while UK guidance urged organizations to lock down management interfaces, disable or restrict SNMP, upgrade protocols, and apply security updates to exposed edge equipment.
May 25, 2026