Threat library

What's actually hitting network devices.

A curated library of vulnerabilities and campaigns targeting the equipment Cogent audits — switches, routers, firewalls and VPN gateways. Each entry links to the primary advisory and notes how a configuration audit helps.

CriticalCVE-2023-20198 · Cisco IOS XE

IOS XE web UI privilege escalation — mass exploitation

Attackers created privilege-15 accounts on tens of thousands of routers and switches via the exposed web UI, then dropped implants. One of the largest network-device compromises on record.

Audit angle: flags ip http server exposed beyond the management VRF and unexpected local users on every sweep.
CampaignArcaneDoor · Cisco ASA/FTD

ArcaneDoor — espionage campaign against perimeter firewalls

State-sponsored actors chained CVE-2024-20353 and CVE-2024-20359 to implant "Line Runner" and "Line Dancer" on ASA devices, targeting government networks worldwide.

Audit angle: firmware inventory against advisories, plus drift detection on boot and management-plane config.
CriticalCVE-2024-3400 · PAN-OS

GlobalProtect command injection, exploited in the wild

Unauthenticated root-level command injection in PAN-OS GlobalProtect gateways (Operation MidnightEclipse), exploited before a patch existed.

Audit angle: inventories exposed GlobalProtect portals and verifies telemetry/hotfix state fleet-wide within one sweep.
CriticalCVE-2024-21762 · FortiOS

FortiOS SSL-VPN out-of-bounds write

Remote code execution in FortiGate SSL-VPN, added to CISA's KEV catalog within days. SSL-VPN endpoints remain among the most attacked surfaces in enterprise networks.

Audit angle: flags SSL-VPN enabled on unpatched firmware and checks interface exposure against your golden policy.
HighCVE-2023-36845 · Junos OS

Junos J-Web PHP environment manipulation

Unauthenticated remote code execution on EX switches and SRX firewalls via the J-Web interface, chained in active exploitation shortly after disclosure.

Audit angle: detects web-management enabled on untrusted interfaces — the config-level fix that closes the whole class.
CampaignVolt Typhoon · multi-vendor

Volt Typhoon — living off the land on network gear

PRC state actor pre-positioning in critical infrastructure, moving through SOHO routers and enterprise network devices using built-in tools and valid credentials — almost no malware to detect.

Audit angle: configuration and credential hygiene are the primary defense when there's no malware: unused accounts, weak secret types, exposed management planes.
CampaignSalt Typhoon · telecom

Salt Typhoon — telecom intrusions via core network devices

Long-dwell intrusions at major telecom providers through carrier routing infrastructure, prompting joint guidance on hardening communications networks.

Audit angle: continuous audit of management-plane exposure, logging paths and config drift — the controls the joint guidance calls out first.
EvergreenSNMP · multi-vendor

Default and weak SNMP community strings

Two decades old and still everywhere: public/private community strings and SNMPv2c on management interfaces hand attackers topology, ARP tables and sometimes write access.

Audit angle: one of the most common findings in first sweeps — flagged with the exact offending line and a v3 migration diff.
This library is curated by the team and links to primary vendor and government advisories — always confirm current patch guidance against the linked source. Spotted something we should add? Tell us.