Sharp Rise in Brute-Force Attacks Targets SonicWall and Fortinet Devices, Researchers Warn

Security researchers have observed a dramatic increase in brute-force attacks aimed at compromising SonicWall and Fortinet devices. According to a new report from Barracuda Networks, the vast majority of these attempts—88%—appear to originate from the Middle East. While many attacks were blocked, the trend signals a growing threat to perimeter security.

What Drives the Surge in Brute-Force Attacks?

Barracuda’s analysis reveals that most of these brute-force attacks were unsuccessful, either thwarted by security tools or targeting invalid usernames. However, the timing is noteworthy. The spike coincides with heightened US and Israeli hostilities against Iran, suggesting a possible geopolitical motive. Attackers may be routing traffic through Middle Eastern servers, but the pattern raises alarms about state-linked cyber activity.

In recent weeks, Iranian-affiliated hackers have targeted US critical infrastructure and medtech firms. The line between state-sponsored operations and financially motivated cybercrime continues to blur, as seen with the resurgence of the Pay2Key ransomware group. For more context, read our analysis on hybrid Middle East conflicts triggering global cyber activity.

Why Edge Devices Are Prime Targets

Edge devices like VPNs and firewalls from SonicWall and Fortinet are internet-facing yet provide direct access to corporate networks. This makes them attractive targets for brute-force attacks. Barracuda reports that over half (56%) of all confirmed incidents from February to March involved such attacks.

“Attackers are aggressively scanning and testing perimeter devices for weak or exposed credentials,” warns Laila Mubashar, senior cybersecurity analyst at Barracuda. “Even when attacks fail, persistent probing raises the risk that a single weak password or misconfiguration could lead to compromise.”

How to Protect Your Network

To defend against these threats, organizations should take immediate action:

• Enforce strong, unique passwords on all network and security devices.
• Enable multi-factor authentication (MFA) on all VPNs, firewalls, and remote access services.
• Monitor and investigate repeated failed login attempts.
• Restrict management interfaces to trusted IP ranges where possible.

For additional guidance, check out our network security best practices guide.

The Rise of ClickFix Social Engineering Attacks

Alongside the brute-force attacks, Barracuda highlights a surge in ClickFix attacks. These social engineering schemes trick users into copying and executing malicious scripts under the guise of fixing a non-existent technical issue. Mubashar explains that such attacks exploit user trust and anxiety.

“Attackers use familiar elements like pop-ups, prompts, and instructions to run a fix,” she adds. “Because ClickFix attacks rely on duping users into adding malicious commands themselves, they are harder for automated security systems to spot.”

To mitigate this threat, organizations should improve end-user education, restrict who can run PowerShell or command-line tools, and deploy monitoring tools for unusual behavior. Learn more about social engineering defense strategies.

Final Thoughts on the Growing Threat Landscape

The surge in brute-force attacks on SonicWall and Fortinet devices underscores the importance of robust perimeter security. As geopolitical tensions rise, attackers are becoming more persistent and sophisticated. By implementing strong authentication measures and educating users, organizations can reduce their risk of compromise.

AI Companies Like OpenAI and Anthropic to Play Bigger Role in CVE Program, Says CISA

The world’s largest vulnerability disclosure scheme is opening its doors wider to artificial intelligence firms. According to a senior leader at the US Cybersecurity and Infrastructure Security Agency (CISA), AI companies like OpenAI and Anthropic should take on a more prominent role in software vulnerability disclosures. This call comes as the Common Vulnerabilities and Exposures (CVE) program braces for an unprecedented surge in reported flaws, driven partly by AI-powered discovery tools.

Speaking at VulnCon26 in Scottsdale, Arizona, Lindsey Cerkovnik, chief of CISA’s Vulnerability Response and Coordination (VRC) Branch, emphasized that AI companies “should be better represented” within the CVE program. As the sole sponsor of the MITRE-run initiative, CISA manages coordinated vulnerability disclosures for thousands of organizations worldwide. Cerkovnik acknowledged that the program has experienced rapid growth in reported vulnerabilities over the past year, and the evolution of AI platforms will likely accelerate that trend. “With the arrival of new AI tools, some helping discover valid vulnerabilities, others perhaps finding things with less value, we’re at a turning point,” she said.

Why AI Companies Are Key to Vulnerability Disclosures

The push for AI companies to join the CVE program comes at a critical moment. Just days before Cerkovnik’s speech, Anthropic launched Claude Mythos Preview, a large language model (LLM) designed to autonomously find and fix cybersecurity vulnerabilities at scale. Currently available only to the 40 members of Project Glasswing, the model allegedly discovered thousands of zero-day vulnerabilities during testing, including several in the Linux kernel that could allow attackers to escalate from ordinary user access to complete control of a machine.

Similarly, OpenAI released GPT-5.4-Cyber on April 14, a version of its GPT-5.4 model fine-tuned for cybersecurity use cases and available exclusively to members of its “Trusted Access for Cyber Defense” program. These developments highlight the growing role of AI in vulnerability research. However, researchers at the UK’s AI Security Institute (AISI) noted that after testing Mythos Preview, they “cannot say for sure” whether it would successfully attack “well-defended systems.” This caution underscores the need for responsible disclosure practices.

CVE Program Faces Record Growth in 2026

The CVE program already counts 327,000 unique records to date, and the pace of disclosures is accelerating. Jerry Gamblin, principal engineer at Cisco Threat Detection and Response, observed that 18,247 vulnerabilities were reported in the first quarter of 2026 alone, a 27.9% increase from the same period in 2025. On average, 174 CVEs are reported daily this year, compared to 132 in 2025.

In February 2026, the Forum of Incident Response and Security Teams (FIRST), which co-hosts VulnCon with the CVE program, forecast a record-breaking 50,000 additional CVEs in 2026. Gamblin expects even higher numbers, predicting 70,135 CVEs by year’s end, a 45.6% growth rate from 48,171 in 2025. This surge is partly driven by AI tools that can identify vulnerabilities faster than traditional methods. Therefore, integrating AI companies into the CVE program could help manage this influx more effectively.

AI Companies as Official Vulnerability Reporters

Cerkovnik’s call for closer integration aligns with the CVE program’s broader diversification strategy. In July 2025, the program launched two new forums: the CVE Consumer Working Group (CWG) and the CVE Researcher Working Group (RWG). One key objective is to increase the number of CVE Numbering Authorities (CNAs)—organizations authorized to publicly disclose vulnerabilities and assign CVE identifiers. As of March 2026, the program has over 500 contributors, with 502 CNAs registered.

Diversification also means internationalization, with more European-based CNAs expected to be vetted in the future, according to Nuno Rodrigues Carvalho, head of sector for Incidents and Vulnerability Services at the European Cybersecurity Agency (ENISA). His colleague, Johannes Kaspar Clos, a responsible disclosure expert at ENISA, said he would welcome AI companies becoming CNAs. “We need to include a diverse crowd of cybersecurity practitioners, from product and national CERTs and CSIRTs to researchers and vulnerability finders. Anthropic is one example of a company who identified vulnerabilities and therefore, is of course rightfully mentioned in being a potential CNA,” Clos explained.

However, Clos expressed caution about the speed of AI tool launches. While he welcomed Claude Mythos and similar tools, he said he would have preferred their capabilities to be disclosed “before the products are pushed to the market.” He added, “Security testing should be implemented before users are put at risk.” This sentiment reflects a broader need for responsible innovation in AI-powered vulnerability research.

CISA’s Commitment to the CVE Program

Cerkovnik reaffirmed that the CVE program is “a top priority” for CISA and the US Department of Homeland Security (DHS). She assured that funding for the program is secure, stating, “Contracts and funding for the CVE program are secure. Funding has never been an issue.” However, she noted that DHS remains technically in a shutdown situation, which complicates decision-making at CISA, including spending on outreach activities like her attendance at VulnCon.

Building on this, the CVE program’s expansion to include AI companies could help address the growing volume of vulnerabilities while ensuring responsible disclosure practices. As the cybersecurity landscape evolves, collaboration between traditional vulnerability researchers and AI firms will become increasingly important. For more on CISA’s roadmap, read CISA Launches Roadmap for the CVE Program.

In conclusion, the integration of AI companies into the CVE program represents a natural evolution for the vulnerability disclosure ecosystem. With record-breaking numbers of CVEs expected in 2026, and AI tools capable of discovering flaws at an unprecedented scale, the time is ripe for these firms to become official partners. The challenge will be balancing speed with security, ensuring that innovation does not come at the cost of user safety. For more insights on AI’s role in cybersecurity, check out AI-Powered Vulnerability Research Trends.

Spy campaigns expose how surveillance vendors hijack telecom networks to track phone locations

Security researchers have uncovered two separate spying campaigns that exploit known weaknesses in global telecom infrastructure to track people’s phone location tracking. According to a new report from Citizen Lab, these operations are likely just a small sample of widespread abuse by surveillance vendors seeking access to cellular networks.

The findings, published Thursday, reveal how vendors operate as “ghost” companies that pose as legitimate mobile providers. By piggybacking on network access, they can look up the real-time location data of targets without their knowledge. This practice, researchers warn, is far more common than previously understood.

How SS7 and Diameter flaws enable phone location tracking

One of the core issues lies in the insecurity of SS7, a set of protocols for 2G and 3G networks that has long been the backbone of global telecom routing. SS7 lacks authentication and encryption, making it easy for rogue operators to exploit. For years, experts have warned that governments and spyware makers can abuse these vulnerabilities to geolocate individuals.

Building on this, the newer Diameter protocol—designed for 4G and 5G—includes better security features. However, Citizen Lab highlights that many providers fail to implement these protections properly. Attackers can still fall back to exploiting SS7 when Diameter defenses are weak. This means that even modern networks remain vulnerable to phone location tracking.

Three telecom providers implicated in surveillance campaigns

Both campaigns share a common thread: they abused access to three specific telecom providers. These companies acted as entry and transit points, allowing surveillance vendors and their government clients to hide behind their infrastructure. The report names 019Mobile (Israel), Tango Networks U.K., and Airtel Jersey (now owned by Sure) as key players.

Sure CEO Alistair Beak told TechCrunch that the company does not lease signaling access for tracking purposes. He stated that Sure has implemented measures to block misuse, including monitoring and suspending suspicious activity. However, Tango Networks and 019Mobile did not respond to requests for comment. Gil Nagar, head of IT at 019Mobile, sent a letter to Citizen Lab saying the company “cannot confirm” that the identified infrastructure belongs to them.

Two distinct methods of phone location tracking

The first campaign relied on exploiting SS7 flaws, switching to Diameter when needed. Researchers believe this operation was run by an Israeli-based commercial geo-intelligence provider with deep telecom integration. The second campaign used a different approach: sending special SMS messages to a “high-profile” target’s SIM card.

These messages, known as SIMjacker attacks (first documented by Enea in 2019), communicate directly with the SIM card without alerting the user. They can turn a phone into a location tracking device. Gary Miller, one of the Citizen Lab researchers, noted that these attacks are geographically targeted and difficult to detect. “I’ve observed thousands of these attacks through the years,” he said, calling them “a fairly common exploit.”

Why this matters for privacy and security

Miller emphasized that these two campaigns are just the tip of the iceberg. “We only focused on two surveillance campaigns in a universe of millions of attacks across the globe,” he explained. The findings underscore how telecom network abuse remains a persistent threat, especially for high-profile individuals like journalists, activists, and political figures.

For more on how these vulnerabilities work, check out our guide on SS7 security risks and how to protect yourself. Also, learn about Diameter protocol exploits in 5G networks.

What can be done to stop phone location tracking?

Telecom providers must implement stronger authentication and monitoring for signaling protocols. Governments should enforce stricter regulations on surveillance vendors and their access to network infrastructure. For individuals, using encrypted communication apps and disabling location services when not needed can help reduce exposure.

As Citizen Lab’s report makes clear, the abuse of telecom networks for phone location tracking is not a theoretical risk—it’s happening now. The question is how quickly the industry will close these gaps before more targets are compromised.