--- type: "attack-path" title: "MANDIANT-EDGE-DEVICE-EXPLOITATION-2025" description: "Attack path derived from Mandiant M-Trends 2026 'Systematic Exploitation of Edge and Core Network Devices' (pp." resource: "tlctc:attack-path:mandiant-edge-device-exploitation-2025" tags: - "attack-path" - "cluster-2" - "cluster-7" - "cluster-5" - "cluster-4" - "cluster-1" - "confidence-high" timestamp: "2026-04-14T00:00:00Z" tlctc_version: "2.0" --- # MANDIANT-EDGE-DEVICE-EXPLOITATION-2025 ## Attack path ``` #2 →[Δt=~1h] #7 (FEC) →[Δt=~months] #5 + [DRE: C] →[Δt=~weeks] #4 →[Δt=~days] #1 →[Δt=~months] #1 + [DRE: C] ``` # Schema | Step | Cluster | Boundary | Δt→next | DRE | |---|---|---|---|---| | s1-edge-zeroday | [#2](/clusters/cluster-2.md) | | ~1h | | | s2-firmware-implant | [#7](/clusters/cluster-7.md) (FEC) | | ~months | | | s3-traffic-interception | [#5](/clusters/cluster-5.md) | | ~weeks | C | | s4-credential-use | [#4](/clusters/cluster-4.md) | | ~days | | | s5-lateral-abuse | [#1](/clusters/cluster-1.md) | | ~months | | | s6-long-term-exfiltration | [#1](/clusters/cluster-1.md) | | | C | ## Step notes - **s1-edge-zeroday:** Zero-day exploitation of an internet-facing edge device (VPN concentrator, firewall, NAS, gateway). R-ROLE: the device's management/data plane is in server role relative to the attacker → #2. TTE = -7 days: Mandiant observed exploitation roughly a week before the vulnerability became publicly known, indicating private pre-disclosure acquisition. - **s2-firmware-implant:** Firmware-level implant installed on the compromised device. R-EXEC satisfied: FEC execution at the firmware layer. Because firmware is below the OS, traditional EDR has no visibility; detection requires out-of-band firmware attestation. Implants survive reboots and most firmware updates. - **s3-traffic-interception:** Pre-positioning enables in-path traffic interception on core network devices (e.g., TACACS+ redirection, inline SSL downgrade, credential capture on management protocols). #5 Man-in-the-Middle: the attacker is structurally interposed on the communication path. DRE:C on intercepted credentials and session data. Included when the intrusion leverages in-path capability; omit if the campaign is pure data-plane persistence. - **s4-credential-use:** Credentials captured via traffic interception (s3) or extracted from device config are used to authenticate into the internal network — administrator accounts for routers, TACACS+ accounts, or enterprise accounts passing through the compromised edge. R-CRED / Axiom X: credential application is ALWAYS #4. - **s5-lateral-abuse:** Living-off-the-land lateral movement into the internal network: legitimate Windows admin tooling, native SSH, or vendor-supplied management utilities. Legitimate functions, abused scope. No new malware required — the firmware implant provides command and control via the compromised edge device. - **s6-long-term-exfiltration:** Slow, steady exfiltration via the compromised edge path. Traffic exits the enterprise through the exact device that is supposed to be protecting it, making egress monitoring ineffective. DRE:C. Multi-year dwell is typical for this pattern; detection usually arrives only when the vendor publishes the CVE and incident responders retroactively look for indicators. # Citations Attack path derived from Mandiant M-Trends 2026 'Systematic Exploitation of Edge and Core Network Devices' (pp. 78-82). UNC5807 (PRC) and similar cohorts achieved Time-to-Exploit of -7 days — exploitation observed before public CVE disclosure. Firmware-level implants provide multi-year persistence on devices with no EDR coverage. Pre-positioning on core network devices also enables in-path traffic interception (#5). Axiom IV: actor identity does not drive classification. Sources: M-Trends 2026 pp. 66-69, 78-82.