.png)
3 hours ago
1
Organizations using Cisco and Citrix VPN devices were nearly seven times as likely to suffer a ransomware infection over a 15-month period, according to At-Bay, a provider of cyber insurance and a vendor of managed detection and response products.
"When compared to businesses without a VPN detected, organizations using Cisco or Citrix were 6.8X more likely to fall victim to an attack," according to At-Bay’s 2025 InsurSec Report [PDF], which notes that Cisco and Citrix held the top spots in last year's report, too.
We're not suggesting these products are inherently insecure, but they are complex
These numbers reflect ransomware insurance claims made between January 2024 and March 2025, and the report's overall findings come from At-Bay's analysis of "more than 100,000 policy years of cyber claims data." While it doesn't say how many organizations this includes, the company has about 40,000 customers in the US.
Neither Cisco nor Citrix responded to The Register's requests for comment.
When asked if these findings mean that Cisco and Citrix VPN users should find another vendor, At-Bay CISO for Customers Adam Tyra told The Register, "We think the takeaway is clear: Companies relying on on-premise VPN devices from vendors like Cisco and Citrix should strongly consider transitioning to modern cloud-based, remote access solutions."
For comparison: SonicWall VPN users clocked in No. 2, at 5.8 times more likely to fall victim to ransomware, Palo Alto Global Protect VPN users were 5.5X, followed by Fortinet at 5.3X. "Additionally, businesses using an on-premise VPN of any kind were 3.7X more likely to fall victim to an attack than those using a cloud-based VPN or no VPN detected," according to the report.
These risk numbers are not simply a reflection of how common these devices are in At-Bay's customers' environments, according to Tyra. "Our analysis adjusted for that," he said.
"We're not suggesting these products are inherently insecure, but they are complex and require consistent maintenance," Tyra said, referring to on-prem VPN appliances. "While many organizations can deploy them securely, far fewer can maintain them properly over time, leading to missed patches and outdated configurations."
The report notes that a whopping 80 percent of ransomware attacks against companies insured by At-Bay last year started with attackers using a remote access tool to gain access, and 83 percent of those cases involved a VPN device.
At-Bay cites a couple reasons for this: VPN appliances give attackers a "door into networks that would otherwise be inaccessible."
Second, they are really complex – illustrating how most orgs will choose simplicity over security any day of the week.
"Early VPNs were simple," the report says. "They only handled VPN connections and were easier to secure. Over time, vendors began combining multiple functions (like firewall, router, proxy, and VPN) into a single device."
This led to next-generation firewalls (NGFWs), which exploded in popularity following the pandemic-induced remote work rush of 2020. "The result is that NGFWs create a very large attack surface, which attackers are actively taking advantage of," the report authors wrote.
"The bottom line is that traditional on-premise VPNs are often too difficult for most companies to operate securely," Tyra said. ®
Tyra added that cloud-based Secure Access Service Edge (SASE) products "significantly reduce exposure to direct attacks compared to traditional VPNs." And for those that must use on-premises systems, "it's critical to invest in continuous maintenance, configuration management, and timely patching to minimize risk," he said.
Don't forget SonicWall
While intrusions – and subsequent insurance claims – affecting SonicWall devices didn't happen in the January 2024 through first-quarter 2025 time frame, the firewall and VPN provider got a call-out in the 2025 report thanks to a 300 percent increase in Akira ransomware attacks that At-Bay's incident responders saw during the third quarter of this year, compared to Q2. The average ransomware demand also jumped 104 percent, to $958,000.
Almost all of these cases involved compromised SonicWall devices. "While the exact cause remains unclear, weak credentials, lack of automatic updates, and poor MFA/EDR coverage appear to be key factors," according to the report.
SonicWall didn't respond to The Register's request for comment.
As a reminder: During Q3 Akira ransomware affiliates were caught exploiting a critical SonicWall vulnerability that they abused last summer, and poked holes in SonicWall SSLVPN misconfigurations to gain access to vulnerable devices and conduct ransomware attacks.
The attacks were tied to CVE-2024-40766, a CVSS 9.8-rated improper access control flaw originally disclosed in August 2024. Both Akira and Fog ransomware criminals used this CVE last year to gain initial access to victim orgs, and in August 2025 SonicWall said not all companies took the needed steps to mitigate the issue.
"The sheer volume of security issues related to SonicWall devices over the last few years makes it difficult to identify what, specifically, Akira is relying on to mount these attacks," Tyra said.
- Crims claim HexStrike AI penetration tool makes quick work of Citrix bugs
- Senator presses Cisco over firewall flaws that burned US agency
- Akira ransomware crims abusing trifecta of SonicWall security holes for extortion attacks
- SonicWall breach hits every cloud backup customer after 5% claim goes up in smoke
"We have at least six different credible hypotheses to explain Akira's activities, but none of them can explain all of the attacks we've seen," Tyra continued. "Besides the high number of exploitable vulnerabilities discovered on these devices, SonicWall itself recently reported a breach of their system storing backup copies of configuration data for their products, and that may be a factor as well."
He's referring to an October admission by the vendor that all customers who used SonicWall's cloud backup service to store firewall configuration files were affected by a cybersecurity incident first disclosed in mid-September. The company previously said less than five percent of its customers were impacted.
"We don't have evidence linking SonicWall directly to these attacks," Tyra noted. "That said, this situation underscores the importance of ongoing vendor evaluation and proactive security maintenance, regardless of which products an organization uses.” ®
