VPN Exploits: What an External Pentest Catches First

An external network pentest perimeter devices review answers a question vendor patches and scanners cannot. On 8 June 2026, CISA added CVE-2026-50751, a CVSS 9.3 authentication bypass in a widely deployed Check Point VPN gateway, to its Known Exploited Vulnerabilities catalog with a three-day federal remediation deadline. Researchers at watchTowr Labs noted that “this vulnerability has been exploited in the wild since 7th May 2026”, roughly a month before the vendor patch was available. The same week, Censys published the FortiBleed advisory, identifying “roughly 73,932 unique firewall URLs across 194 countries” leaking credentials from internet-facing Fortinet appliances. For CISOs running edge VPN and firewall infrastructure, the message is simple: vendor patches and scanners alone are not catching this.

The Verizon 2026 Data Breach Investigations Report found that 31% “of breaches now start with software vulnerabilities, beating stolen passwords as the top way attackers get in”. That is a structural change in how organisations are compromised, and unpatched or misconfigured perimeter appliances are the single largest contributor.

Why VPN Appliances Are the Favourite Initial-Access Vector Right Now

Edge appliances sit on the public internet, terminate authentication, hold privileged certificates, and bridge directly into the internal network. Three properties make them disproportionately attractive to ransomware affiliates and intrusion brokers.

A scheduled VPN gateway security assessment maps this exact surface as part of a broader external network pentest. It is not the same activity as running a vulnerability scanner against the appliance IP and reading the CVE output.

Six Things a Human-Led External Pentest Checks That Scanners Cannot

Scanners are good at one thing: matching observed banners and behaviours against a database of known CVEs. That is useful, and the CTDefense team runs scanners as part of every engagement. The work that follows is what a CVE scanner cannot do, and what the vulnerability scanner vs penetration test comparison really turns on.

Shadow Assets: The Perimeter Devices That Don’t Appear in Your CMDB

If a CISO asks the team “what does an external network pentest actually test”, the most honest answer starts here. The first deliverable of any external engagement is an enumerated asset list, and that list is almost always longer than the one the client provided at scoping.

In recent CTDefense engagements, shadow assets typically include:

Each one of these carries a software version, a patch lag, and a credential set that the central security team is not tracking. As covered in what attackers find on a typical enterprise perimeter, the shadow-asset finding is the one that most often leads to a high-severity recommendation.

Certificate Validation and Credential-Reuse: The Manual Testing Layer

A perimeter scan tells the client which CVEs apply to which boxes. A human-led external pentest answers the harder question: given the client’s specific configuration, identity provider, and credential exposure, can an attacker actually authenticate?

The team works through a defined sequence on each in-scope appliance:

The watchTowr finding that CVE-2026-50751 had been exploited for a month before the patch landed answers a common buyer question, namely how long after a patch is released are companies still exploited. The window opens before the patch, not after it. Patch-cadence reporting captures none of it. Active testing during that window is the only thing that does.

What to Do Before the Next KEV Alert Drops

The next CISA KEV listing on a perimeter appliance is a matter of when, not whether. Organisations subject to NIS2 external network security testing obligations under Article 21 are under regulatory pressure to demonstrate that their perimeter posture has been independently verified, not just patched on schedule. The same applies to PCI DSS and DORA-aligned testing programmes.

A few concrete steps the CTDefense team recommends to clients in the days after a KEV listing on edge infrastructure:

CTDefense continues to support mid-to-large enterprises in finance, healthcare, manufacturing, and critical infrastructure with External Network Security Audit engagements that map exposed perimeter devices, validate authentication and certificate logic, and correlate findings against current threat-actor activity. Organisations running Check Point, Fortinet, or other edge appliances on the public internet are encouraged to commission an external review before the next KEV listing arrives, not after. The window between exploitation and patch is where the loss happens; testing during that window is what closes it.

Leave a Reply