Popular programs were supposed to protect companies, but turned out to be loopholes for hackers

• 33% of cyberattacks worldwide start with software errors. 16% - with stolen login data. 13% from phishing - this vector has lost its importance since last year - according to the report "m-Trends 2025".
• The most commonly exploited vulnerabilities were in Palo Alto Networks, Ivanti, and Fortinet systems. They were exploited by groups linked to China and Russia, among others.
• In Poland, the government warned about the Fortinet vulnerability. However, there are no plans to create a blacklist of dangerous programs.

Every third cyberattack starts with software errors - this is the conclusion of the latest report by Mandiant, a company that deals with, among other things, detecting threats on the network. The criminals most often fell prey to software from the largest American suppliers: Palo Alto Networks, Ivanti and Fortinet.

Three of the vulnerabilities described by Mandiant were particularly dangerous - they were zero-day vulnerabilities, meaning they were exploited before the software vendor realized the situation and released security patches. This is all the more dangerous because the attacks were not carried out only by ordinary criminals. Some of them were organized or supported by Chinese and Russian cyber intelligence groups.

Dangers of security providers

The most exploited vulnerability last year involves flaws in the PAN-OS GlobalProtect software. This is a popular security system from Palo Alto Networks . This system is used by companies around the world to protect employees' remote connections.

Identified in April 2024, the bug allowed criminals to take control of the device and execute arbitrary commands on it without the administrator's knowledge. According to Mandiant data, before the vulnerability was discovered and patched, several criminal groups managed to exploit it. Among the hackers were people associated with the RANSOMHUB gang, known for extorting ransom and threatening to publish data.

Two of the four most commonly exploited vulnerabilities concern Ivanti software - Connect Secure VPN and Policy Secure. Both services are used to enable secure employee login to the corporate network . The vulnerabilities described by Mandiant allowed for bypassing the login and executing commands on the server.

These vulnerabilities were also supposed to benefit criminals. In total , at least eight different groups were identified actively exploiting flaws in Ivanti software . Five of them were espionage-related and were likely linked to China.

Polish Minister Warns of Fortinet Program Flaw

A serious security flaw was also revealed in FortiClient Endpoint Management Server. This is a tool used by companies to centrally manage the protection of employee computers. The flaw allowed criminals to implement their own commands into the system database.

In practice, this meant the ability to manipulate data, bypass security, and even take control of the server. One of the criminal groups installed a legitimate remote administration program on infected servers. This access was then sold to other criminal groups. Mandiant also proved that the vulnerability was exploited by the FIN8 group. This time, to break into organizations and steal their data for ransom.

In October and November 2024, the suspected FIN8 threat cluster gained access to a targeted organization by exploiting CVE-2023-48788, deployed SNAKEBITE ransomware, and used the publicly available RESTIC backup tool to steal data.

The Polish government's cybersecurity representative (in this term, Deputy Prime Minister Krzysztof Gawkowski) even issued a statement regarding this vulnerability . In March 2024, he recommended updating Fortinet products to the latest versions.

What could be the scale of problems caused in Poland by this vulnerability? This is not known, because the Ministry of Digital Affairs does not keep a register of suppliers and products securing IT systems used neither in public administration nor in dependent institutions.

- Public sector entities have a large degree of autonomy in the selection, acquisition and application of IT security solutions - the ministry's press office assures us.

However, officials confirm that products from suppliers mentioned in the Mandiant report are also used in public administration .

Ministry awaits key cybersecurity bills

However, as the Ministry of Digital Affairs assures, there are no plans to exclude suppliers whose software was vulnerable to attacks . In the future, their security will be managed by an amendment to the act on the National Cybersecurity System (the Ministry of Digital Affairs hopes that it will be adopted by the government by mid-year), as well as on the Cybersecurity Certification System. The latter has already been adopted by the Council of Ministers.

- The draft provisions regarding the protective order or the procedure for recognition as a high-risk supplier may be applied in the future if the vulnerabilities pose a threat to the fundamental security interest of the state, which will be preceded by a detailed analysis - we read in the MC's responses.

For now, Computer Incident Response Teams (CSIRTs) are sending information about vulnerabilities to the institutions they cover. NASK is scanning for security vulnerabilities using the Artemis tool.

Vendors patch, users don't update

What do software vendors themselves think about the report? We asked all three companies mentioned by Mandiant. Only Fortinet did not respond to WNP's questions.

The Ivanti spokesman emphasizes that it is not just ordinary criminals who are the adversary for companies. "State-sponsored, aggressive attacks on edge devices are a common and well-documented challenge for the entire industry," he admits.

He adds that the company is investing in partnerships and collaborations on threat intelligence. It is also publishing detailed patches.

Palo Alto Networks representatives also speak about fixes, emphasizing that patches for the specific vulnerability mentioned in the Mandiant report were published within three days of the announcement of the problem.

- Information on detected product vulnerabilities is publicly announced by us and updated by our PSIRT team - notes the company's press office.

As we hear, the company also conducts software tests before it hits the market.

- Even in the event of an incident, we are able to quickly analyze a previously tested scenario, develop a fix and implement it in the affected products - emphasize representatives of Palo Alto Networks.

As MC reminds, it is important to update the software as soon as possible after such messages.

The Cybersecurity Commissioner in his recommendations and communications clearly indicates that the key action to limit the occurrence of any cybersecurity incident is the ongoing update of the solutions used and the use of multi-factor authentication.

The statements of suppliers indicate that software vulnerabilities are natural. However, Paweł Nogowicz, the owner of Evercom, sees the matter differently. As he emphasized during the discussion at the EEC in Katowice , this is a market pathology. He pointed out directly that customers are becoming de facto software testers. - It cannot be that software requires constant uploading of patches that eliminate some vulnerabilities but generate new ones - he said.