Corporate cybersecurity infrastructure—including firewalls, VPNs, and routers—is designed to fortify enterprise networks against malicious intruders. In an era defined by hybrid and remote work, these tools are essential. However, a recurring, critical failure has emerged: these very security products frequently harbor software vulnerabilities that grant hackers direct access to the networks they were built to protect.
This systemic issue has fueled a surge in mass-hacking campaigns. By exploiting these flaws, attackers can compromise thousands of organizations simultaneously, exfiltrating vast amounts of sensitive corporate and personal data. Below is a timeline of significant mass-hacking events that have defined the cybersecurity landscape in recent years.
January 2023: Fortra GoAnywhere Breach
The Clop ransomware gang initiated a massive campaign by exploiting a zero-day vulnerability in Fortra’s GoAnywhere managed file transfer software. The attack impacted over 130 organizations, leading to the theft of personal data from millions. Notable victims included Hitachi Energy, security firm Rubrik, and NationBenefits, which reported the exposure of three million members’ data.
May 2023: The MOVEit Global Data Theft
One of the largest breaches in history involved the exploitation of Progress Software’s MOVEit file transfer tool. According to Emsisoft, the Clop gang used this flaw to steal data from thousands of organizations, impacting over 60 million individuals. The U.S. government contractor Maximus suffered the most significant blow, with hackers accessing the health information of 11 million people.
October 2023: Cisco Zero-Day Takeovers
Throughout October 2023, attackers exploited an unpatched zero-day in Cisco networking software. The flaw allowed for full control over enterprise switches, wireless controllers, and industrial routers. While Cisco did not disclose a specific victim count, Censys reported that nearly 42,000 devices were left exposed to the internet.
November 2023: The CitrixBleed Vulnerability
The “CitrixBleed” bug in Citrix NetScaler systems enabled the LockBit ransomware group to extract sensitive information from major entities. High-profile victims included Boeing, the law firm Allen & Overy, and the Industrial and Commercial Bank of China.
January 2024: Ivanti Connect Secure Espionage
State-backed hackers, linked to the group Salt Typhoon, exploited zero-days in Ivanti’s VPN appliances. While Ivanti initially downplayed the impact, Volexity identified over 1,700 compromised appliances globally across defense, banking, and telecommunications sectors. The U.S. government eventually ordered federal agencies to take the systems offline.
February 2024: ConnectWise and Ivanti Recurrence
Hackers targeted two critical flaws in ConnectWise ScreenConnect, a remote access tool, to deploy ransomware and backdoors. Simultaneously, Ivanti faced further scrutiny as attackers exploited another VPN flaw; the Shadowserver Foundation reported over 630 unique IP addresses actively attempting to exploit the vulnerability.
November 2024: Palo Alto Networks Firewall Flaws
Thousands of firms were put at risk when two zero-day vulnerabilities in Palo Alto’s PAN-OS were weaponized. Researchers at watchTowr Labs noted that the flaws stemmed from fundamental development errors, allowing attackers to exfiltrate data from corporate networks.
December 2024: The Clop Resurgence via Cleo
The Clop gang returned in late 2024, targeting Cleo Software products. By early 2025, the group had listed over 110 alleged victims on its dark web leak site, including supply chain giant Blue Yonder and German manufacturer Covestro.
January 2025: Escalating Threats at Ivanti, Fortinet, and SonicWall
The new year saw a rapid succession of mass-hacking events:
- Ivanti: Hackers exploited a new zero-day in Ivanti’s VPN, with the Shadowserver Foundation identifying hundreds of backdoored systems.
- Fortinet: A zero-day in FortiGate firewalls, active since December 2024, resulted in the compromise of “tens” of enterprise devices.
- SonicWall: A vulnerability in the SMA1000 remote access appliance was confirmed as being actively exploited. With over 2,300 devices visible to the public internet, per Shodan data, the potential for widespread damage remains significant.