When your firewall becomes the battlefield: What Pacific Rim reveals about infrastructure risk

This post continues our series for Cybersecurity Awareness Month, where we’ll examine some of the most consequential recent campaigns and developments to draw out lessons for defenders. In the first installment, Hidden Software Flaws Undermine Device Security, we explored how unseen vulnerabilities in connected device firmware create persistent risk across industries. Building on that theme, this post looks at the recent Pacific Rim report and our own findings from the WPS Pixie Dust attack to show how long-known flaws persist in device software.

In its report, Sophos examines a China-based campaign against edge devices across Asia-Pacific. These events highlight the same reality: attackers exploit known and undisclosed flaws in the everyday devices that connect and protect your network. Firewalls, routers, and virtual private network (VPN) appliances are now reliable entry points. Without visibility into the software that powers those devices, you leave critical gaps open for exploitation.

A shift in adversary focus

The Pacific Rim report describes actors targeting infrastructure devices not because of their inherent value, but because of their accessibility. They then used those devices as durable footholds for persistence and lateral movement. For entry, the attackers relied on known vulnerabilities that remained unpatched. In some cases, they also leveraged zero day exploits to maintain their advantage. 

The tactics highlighted in the report reflect a broader trend: adversaries achieve the same outcomes by compromising infrastructure you assume is secure, not by breaching your most sensitive servers.

Why known vulnerabilities still succeed

Zero day exploits capture headlines, but adversaries often succeed with known flaws. When organizations delay patching or lack a process for software or firmware updates, attackers have an open door. A single unpatched firewall can put the entire network at risk.

You have also seen this play out in older attack classes that persist for years. For example, the WPS Pixie Dust attack against Wi-Fi Protected Setup continues to expose devices long after disclosure. Our research showed that many firmware images still include vulnerable implementations. The lesson matches what Sophos highlights: adversaries do not need exotic zero days when known flaws remain in circulation.

Disclosure is not protection. Without visibility into device components, you cannot act quickly when advisories appear. Ask yourself - when the next log4J occurs - am I exposed? Where? Can you answer those questions?

Zero days raise the stakes

Sophos also documented the use of zero day exploits in Pacific Rim. Zero days give attackers an advantage even against diligent patchers. They extend dwell time, increase stealth, and force defenders to play catch-up.

This is where deeper insight becomes critical. You cannot control when a vendor discloses a zero day, but you can control how quickly you discover weaknesses in your own devices. When you know in which components those flaws live and what actually executes inside your infrastructure, you shorten the gap between exploitation and response.

Why infrastructure attracts adversaries

Firewalls, routers, and VPNs share qualities that make them attractive: exposure to the internet, opaque system code, reliance on third-party components, and broad deployment. This combination creates a large attack surface with limited monitoring. Adversaries are pragmatic. They exploit the path of least resistance, and infrastructure devices provide exactly that.

The supply chain blind spot

Most of these devices include software from dozens of third-party sources, open-source projects, and legacy components. Without visibility into those dependencies, you cannot assess your exposure or respond to vulnerabilities promptly.

The recent breach of F5’s internal systems, which exposed and leaked portions of its source code for its BIG-IP product line along with undisclosed vulnerabilities the company had previously identified, underscores the stakes of these blind spots. When attackers gain access to the underlying code of critical infrastructure products, they can more easily identify vulnerabilities, develop exploits, or reverse-engineer trusted components. Organizations using these devices often have little visibility into the software within them, leaving defenders at a disadvantage when incidents like this occur.

This blind spot explains why attackers can exploit flaws for months, and why government directives often arrive only after compromises surface. You cannot afford to treat your devices as black boxes.

Visibility as the foundation

Traditional vulnerability management stops at operating systems and applications. The software inside infrastructure devices remains a mystery in too many organizations.

When you analyze firmware directly, you can discover vulnerabilities, outdated components, hardcoded credentials, and misconfigurations. You can identify weaknesses before attackers weaponize them. Visibility into what actually executes in your devices turns software and firmware from a liability into a manageable risk.

What you can do now

Pacific Rim offers a clear blueprint for action. Start by inventorying your infrastructure devices, verifying firmware versions, and checking for vulnerabilities and non-CVE risk, such as hard-coded secrets. Patch promptly when updates are available, and collect forensic data if compromise is suspected.

Integrate firmware and binary analysis into your vulnerability management program to understand what actually executes in your devices. Demand transparency from vendors about their third-party components, and enrich that information with your own analysis. Assume compromise is possible, and design defenses that limit impact when attackers succeed.

These actions reduce uncertainty, help you prove due diligence, and build resilience.

The NetRise perspective

At NetRise, we focus on solving the visibility gap that Sophos highlights. By providing detailed insight into software and firmware, we enable you to see the known vulnerabilities, outdated libraries, and hidden risk inside the devices you rely on. That knowledge allows you to act faster, respond with confidence, and prevent adversaries from exploiting blind spots.

We can’t promise that zero days will disappear. We can give you the visibility to minimize their impact and manage risk across your environment.

Every device is in play

When state-sponsored actors treat firewalls as stepping stones, the conclusion is unavoidable. Every device in your environment can become a target.

You can no longer rely on patch cycles alone or assume that only your crown jewels matter. Attackers are proving otherwise. By gaining visibility into the firmware and software supply chain that underpins your infrastructure, you can close the gaps adversaries exploit and build a stronger foundation for resilience. 

Next in our Cybersecurity Awareness Month series, we’ll examine the 2025 draft of the Software Bill of Materials (SBOM) minimum elements. We’ll explore how evolving standards can help you demand greater transparency from vendors and reduce the chances that flaws like Pixie Dust linger unseen in your devices.