Barracuda report: Ransomware attacks exploit firewall vulnerabilities

A new threat analysis shows that ransomware attacks exploit firewall vulnerabilities in the majority of observed incidents. According to findings released by Barracuda Networks, 90 percent of ransomware cases in 2025 involved firewalls compromised through unpatched software or vulnerable accounts.

The fastest recorded ransomware case progressed from breach to encryption in just three hours. The data is detailed in the Barracuda Managed XDR Global Threat Report, which draws on more than two trillion IT events collected during 2025, nearly 600,000 security alerts and over 300,000 protected endpoints, firewalls, servers and cloud assets.

The report examines how attackers identify entry points and how security gaps increase enterprise risk.

Firewalls remain primary attack vector

The research shows that attackers are targeting firewalls through CVEs or exposed accounts. Once inside, they can gain control of the network and bypass protective layers, masking malicious traffic.

One in ten detected vulnerabilities had a known exploit. The most widely detected vulnerability dates back to 2013: CVE-2013-2566, linked to an outdated encryption algorithm still present in legacy servers, embedded devices or applications.

The persistence of older vulnerabilities indicates gaps in patch management and encryption upgrades.

Speed of attack reduces response window

The report highlights how compressed attack timelines limit defensive response. In the fastest case, involving Akira ransomware, encryption occurred within three hours of breach.

Such timelines leave minimal opportunity for detection and remediation. Once attackers gain access, lateral movement often follows.

In 96 percent of incidents involving lateral movement, ransomware was ultimately deployed. Lateral movement signals that attackers have shifted from initial compromise to deeper system penetration.

Supply chain exposure rising

The data also shows that 66 percent of incidents involved the supply chain or third parties, up from 45 percent in 2024. Attackers are exploiting weaknesses in external software to extend their reach inside target environments.

The report notes that many breaches involve legitimate IT tools such as remote access software. Additional risk factors include outdated encryption, disabled endpoint security and dormant or misconfigured accounts.

These gaps, while individually small, create compounding exposure.

Structural gaps in resource-constrained teams

Merium Khalid, Director, SOC Offensive Security at Barracuda, said organisations face increasing pressure to defend identities, assets and data with limited resources and fragmented tools.

She noted that overlooked elements such as rogue devices, unremoved user accounts or dormant applications can create exploitable entry points. Attackers require only one weakness to succeed.

The report recommends integrated and managed security approaches to reduce fragmentation and improve detection across endpoints, firewalls and cloud assets.

What the findings signal

The central finding remains clear: ransomware attacks exploit firewall vulnerabilities more often than any other vector observed in the dataset.

Key risk indicators include:

• Unpatched firewall CVEs

• Vulnerable or dormant accounts

• Known exploitable software bugs

• Lateral movement within networks

• Supply chain software exposure

The report is based on telemetry collected from April to December 2025 across diverse cloud and enterprise environments.

The findings suggest that closing firewall gaps, addressing dormant identities and tightening supply chain controls are critical to reducing ransomware exposure in 2026.

Read More: 

Tenable Cloud and AI Security Risk Report 2026 flags exposure gap

GoTo India Site Leader role expands

Amazon second largest office in Asia opens in Bengaluru