Managed Network Edge · Deep dive 01

When the VPN is the way in: retiring appliance-based remote access

Ivanti and Fortinet spent the last year proving the remote-access appliance is the soft target. Here is how we cut an agency over to identity-aware access with no downtime window.

Draft outline · Security lens
The anchor

In January 2025 CISA tied Ivanti Connect Secure CVE-2025-0282 (unauthenticated remote code execution) to active exploitation and the RESURGE malware chain, and FortiOS SSL VPN authentication-bypass flaws were exploited through the year. The pattern is consistent: an internet-facing appliance with a pre-auth listener and no identity in the path.

Sources we build on
Primary

Government primary source confirming CVE-2025-0282 was actively exploited, with the RESURGE malware linkage.

Journalism
The Register / Ars Technica edge-appliance coverage

Independent technical reporting on the 2025 run of VPN and edge-device zero-days and how the exploit chains work.

Article outline
  1. The appliance as attack surface. Why an always-on VPN concentrator is the thing attackers hit first.
  2. How CVE-2025-0282 actually worked. Pre-auth RCE, no identity check, straight to the internal network.
  3. What ZTNA removes. No public listening service, access brokered per-session against identity and device posture.
  4. The cutover. Running VPN and ZTNA in parallel, migrating cohorts, decommissioning the concentrator without a downtime window.
  5. Does patching save you? The honest answer, and why architecture beats the patch race here.
How it aligns to what we do

This is the front door for Managed Network Edge and the clearest example of our positioning: we do not sell a strategy document about zero trust, we deploy the access path and retire the appliance, at a fixed price, with the migration risk owned by us. It also lets us be candid where a vendor would not: patching alone is a losing race against pre-auth zero-days, and we say so.

Points to hit
Control it ratifies
ISM / E8 E8 Patch applications, plus the ISM guidelines on remote access and network management. The candid line: the durable control is architectural (no exposed pre-auth listener), because the 48-hour patch window still loses to same-day exploitation.