Network appliances — VPN gateways, firewalls, and remote access concentrators — occupy a privileged position in the network architecture. They sit at the perimeter, handling all remote access traffic. A vulnerability in one of these devices, successfully exploited, provides direct network access without requiring any user interaction or credential compromise.
The Exploitation Timeline
The ACSC has repeatedly highlighted that vulnerabilities in internet-facing network appliances are being actively exploited within 24-72 hours of public disclosure. For extreme-risk vulnerabilities — those with CVSS scores of 9.0 or above — the Essential Eight patching requirement is 48 hours. This is not conservative: it is a response to the observed exploitation timeline.
The Most Targeted Vendors
Fortinet, Ivanti, Cisco, Palo Alto Networks, and SonicWall appliances have all been subject to actively exploited vulnerabilities in the 2023-25 period. The ACSC has issued specific advisories on many of these, often noting that Australian organisations have been affected. If your network perimeter includes any of these vendors' products, active vulnerability monitoring and rapid patching are not optional.
Beyond Patching: Configuration Review
Patching addresses known vulnerabilities. Configuration review addresses the attack surface reduction that patching cannot provide. This includes: disabling management access from the internet (require VPN-in-VPN or jump host for appliance management), restricting management access to specific IP ranges, enabling logging of authentication attempts and configuration changes, and reviewing whether all enabled features and protocols are actually required.
We use a managed firewall from our ISP. Does patching apply to us?
If your ISP or managed service provider is responsible for the appliance, patching is their obligation — but you should verify it is being done and within appropriate timeframes. Request confirmation of patch cadence from your MSP and confirm that critical patches are applied within 48 hours of release. MSP contracts should specify patching SLAs for internet-facing infrastructure.
