Barracuda links 2025 ransomware wave to firewall flaws

Barracuda has published new research linking most ransomware incidents in 2025 to firewall compromise, with unpatched software and vulnerable accounts cited as the main entry points.

The Barracuda Managed XDR Global Threat Report found that 90% of ransomware incidents analysed involved firewalls exploited through a known software vulnerability or an account weakness. Attackers then used those footholds to move through networks and conceal malicious activity.

The report draws on telemetry from endpoints, servers, firewalls and cloud environments, covering more than two trillion IT events, nearly 600,000 security alerts and more than 300,000 protected assets.

Firewall exposure

Firewalls sit at the network edge and often act as gateways for remote access and site-to-site connectivity. This makes them high-value targets when organisations delay patching or leave accounts exposed.

In the dataset, one in 10 detected vulnerabilities had a known exploit. This points to a recurring risk: once exploit code becomes public, attackers can quickly weaponise it.

The research also points to long-lived exposure from older systems. The most widely detected vulnerability dates back to 2013: CVE-2013-2566, a flaw linked to an outdated encryption algorithm found in legacy servers, embedded devices and older applications.

Speed of attack

The report highlights how quickly some ransomware campaigns can unfold. The fastest observed case involved Akira ransomware and took three hours from breach to encryption.

That leaves little time to detect suspicious behaviour, investigate alerts and isolate affected systems before data becomes inaccessible. It also increases pressure on security teams, particularly in smaller organisations with limited coverage outside standard working hours.

Lateral movement

Once attackers gain a foothold, lateral movement often signals escalation towards a full ransomware incident. The report found that 96% of incidents involving lateral movement ended with ransomware deployment.

Lateral movement typically involves shifting from an initial compromised device to other systems, often using harvested credentials or privileged access. It is described as a key warning sign in a developing incident.

Third-party risk

The findings also suggest a growing role for supply-chain and third-party exposure. The report found that 66% of incidents involved the supply chain or a third party, up from 45% in 2024.

This reflects the complexity of modern IT environments, which rely on external software, integrations and service providers. It also shows how attackers can exploit third-party weaknesses and pivot into customer environments.

Operational gaps

The report describes attackers using legitimate IT tools such as remote access software. It also highlights risks tied to unprotected devices, outdated encryption, disabled endpoint security and misconfigured security features.

Account management issues feature heavily, including dormant accounts that remain active after staff departures. Unusual logins and unexpected privileged-access activity are flagged as urgent signals for security teams.

Merium Khalid, Director, SOC Offensive Security at Barracuda, said the findings reflect the realities of day-to-day security operations and resourcing.

"Organisations and their security teams - especially if that 'team' is a single IT professional - face an immense challenge. With limited resources and fragmented security tools, they must safeguard identities, assets and data from an evolving threat landscape and attacks that can unfold in a matter of hours," Khalid said.

She added that common weaknesses can persist unnoticed across large, mixed IT estates.

"What makes targets vulnerable is often easy to overlook - a single rogue device, an account that wasn't disabled when someone left, a dormant application that hasn't been updated, or a misconfigured security feature. Attackers only need to find one to succeed. An integrated, AI-powered and autonomous security solution with the management and support taken care of by experts can make all the difference," Khalid said.

The report also outlines steps for organisations and managed service providers to reduce risk. It reinforces that patch discipline, account hygiene and monitoring for lateral-movement indicators remain central to ransomware defence, as attackers increasingly combine firewall exploitation with third-party exposure.