TIRESIS/Briefs/Network Security
Network Security

VPN Appliances Are Becoming Prime SMB Targets

FortiGate, SonicWall, and Pulse Secure account for 38% of SMB network breaches in Q1 2026. We analyze why patch lag in this category is structurally higher — and what the next 60 days look like.

Published 2026-03-01

The Pattern

In Q1 2026, vulnerabilities in VPN and network perimeter appliances — FortiGate, SonicWall SMA, Pulse Connect Secure, and Cisco ASA — account for an estimated 38% of confirmed SMB network intrusions in our dataset.

This is not a coincidence. It is a structural pattern driven by three reinforcing factors.

Why VPN Appliances Are Different

1. They are internet-facing by design. Unlike an ERP or accounting system, a VPN appliance is necessarily exposed to the public internet. A vulnerability in FortiGate OS does not require an attacker to first gain internal access — it is the first door.

2. Patch lag is structurally higher. Our SMB software stack data shows an average patch lag of 60-75 days for network appliances, compared to 14-21 days for cloud-managed tools like Microsoft 365. The reasons are operational: patching a firewall requires a maintenance window, a rollback plan, and often vendor support. Small IT teams defer this.

3. Exploit weaponization is fast. For CVEs in this category with EPSS above 0.15, the median time from public disclosure to active exploitation is 12 days. Our SMB patch lag window is 4-5x longer.

The Next 60 Days

Our scoring model currently flags three VPN-adjacent CVEs in the high/critical SMB risk band published in the last 30 days. Two involve authentication bypass in widely-deployed firmware versions. One is already in the CISA KEV catalog.

SMBs running FortiGate 7.0.x, SonicWall SMA 10.2.x, or Pulse Connect Secure 9.x should treat patching these appliances as a P0 this month — before the operational deferral window expires.

Recommended Actions

Audit every internet-facing appliance. If you do not know what firmware version you are running, assume you are vulnerable.

Check each appliance against the CISA Known Exploited Vulnerabilities Catalog — free and updated daily.

If patching requires a maintenance window longer than 72 hours, implement temporary network-level controls (IP allowlisting for VPN access, geo-restriction) as an interim measure.

Data based on TIRESIS incident database and CVE scoring pipeline. SMB Attack Probability Scores updated continuously.

← All briefsView Forecast →