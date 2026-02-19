Firewalls are a common target for hackers, report claims

Barracuda report finds 90% of all ransomware incidents in 2025 exploited firewalls

Some flaws were more than a decade old, so patch now

If you can secure just one device on your network today - make sure it’s the firewall, as a new report from Barracuda claims almost all ransomware incidents start with a compromised firewall instance.

The Barracuda Managed XDR Global Threat Report is based on Barracuda Managed XDR’s 2025 dataset of more than two trillion IT events and some 600,000 security alerts.

The researchers found 90% of all ransomware incidents which took place in 2025 exploited firewalls through either a vulnerability, or a compromised account. One in every 10 detected vulnerabilities already had a known exploit, they added, meaning in many instances they were targeting “low-hanging fruit”.

Old school flaws

One of the more painful findings of the report is the fact that the most widely detected vulnerability is 13 years old. CVE-2013-2566, a flaw discovered back in 2013, is in an outdated encryption algorithm, and is often found in legacy systems (old servers, embedded devices, applications).

Barracuda is not the only company sounding the alarm on broken firewalls, as recent research from Sophos also showed that incidents involving network edge devices like routers, VPNs, and firewalls, are becoming a growing point of intrusion, accounting for nearly 30% of initial compromises observed in Sophos’ Annual Threat Report.

At the same time, new findings in the Searchlight Ransomware H2 2025 report said that the number of active ransomware groups reached levels never seen before, with the growth rate of victims doubling since 204.

In late 2025 it was reported that SonicWall firewall appliances with SSL-VPN enabled across multiple generations were vulnerable and targeted by the Akira ransomware group.

Confirmed victims aren’t widely published as corporate names, but reports and security advisories noted dozens of organizations impacted, including cases where more than 100 SSL-VPN accounts across ~16 customer environments were compromised and used for follow-on activity.

