Citrix, Ivanti, MOVEit, FortiGate: the edge appliances on CISA's most-exploited list, facing your internet

Open a browser, type your company's VPN hostname, and look at what loads. If a Citrix Gateway login, an Ivanti Connect Secure welcome page, or a MOVEit Transfer sign-in answers you, it answers everyone. These aren't web apps your team wrote. They're appliances, the boxes that sit at the edge of the network and decide who gets in, and the last three years of breach reports are mostly the story of those exact boxes.

The pattern is brutal and repetitive. A vendor ships a VPN concentrator or a file-transfer gateway. A pre-authentication flaw turns up, no password needed, just a crafted request to the login page. It lands on CISA's Known Exploited Vulnerabilities catalog, the US government's list of bugs being used in real attacks right now. Within days, internet-wide scanners are walking every IPv4 address looking for the telltale login path. If yours is reachable and a patch cycle behind, you are not a target they chose. You are a target they found.

Why the login page itself is the finding

You might think an exposed login page is fine. It needs a password, after all. That instinct is wrong for this class of device, and it's worth being precise about why.

The vulnerabilities that put these appliances on the KEV list are pre-auth. Citrix Bleed (CVE-2023-4966) leaks session tokens straight out of NetScaler memory, so the attacker logs in as someone who already authenticated, no password involved. MOVEit's CVE-2023-34362 was a SQL injection in the transfer portal that CL0P used to steal data from thousands of organizations in weeks. Ivanti Connect Secure chained CVE-2024-21887 and CVE-2025-0282 into unauthenticated remote code execution. FortiGate's CVE-2024-21762 is an out-of-bounds write reachable before login. In every one of these, the login page is not the wall. It's the attack surface. The password never gets checked because the bug fires first.

$ vpn.yourcompany.com
what the street sees
Citrix Gateway/vpn/index.html serves CitrixAGBasic
Ivanti Connect Secure/dana-na/.../welcome.cgi answers 200
MOVEit Transfer/human.aspx login form present
FortiGate SSL-VPN/remote/login redirect served
On CISA KEVall four, actively exploited
Each marker is the appliance announcing itself at a known path. No login attempted, no exploit sent. The presence is the signal.

So the question for an edge appliance isn't "is it patched," which you can't see from outside and which changes the day after a scan. The question is "is it reachable from the public internet at all," and for most of these the honest answer is that it shouldn't be. A VPN gateway has to face the internet by design. A MOVEit portal, a GoAnywhere admin console, or a Jenkins controller usually does not.

The roll call

These are the appliances and servers SurfaceCheckr looks for, each identified by an unforgeable marker it serves, not by a guess. Every one has a CISA-KEV entry in its history.

  • Citrix NetScaler / ADC Gateway. The /vpn/index.html page serving both /vpn/js/ and the CitrixAGBasic marker. Home of Citrix Bleed (CVE-2023-4966), which dumped session tokens and was used against major enterprises and a US bank.
  • Ivanti Connect Secure. The /dana-na/auth/url_default/welcome.cgi portal. CVE-2025-0282 and CVE-2024-21887 are both on the KEV list, both pre-auth, both chained to full remote code execution on the box that terminates your VPN.
  • Fortinet FortiGate SSL-VPN. The /remote/login page with the sslvpnd redirect. CVE-2024-21762 is unauthenticated RCE, and exploited FortiGates have been left with symlink backdoors that survive the patch.
  • MOVEit Transfer. The /human.aspx sign-in. CVE-2023-34362 is the one CL0P rode to breach an estimated 2,700-plus organizations and tens of millions of individuals in mid-2023.
  • GoAnywhere MFT. The /goanywhere/auth/Login.xhtml admin portal. CVE-2023-0669 (pre-auth RCE) and CVE-2024-0204 (admin account creation), both exploited in the wild.
  • Microsoft Exchange OWA. The /owa/auth/logon.aspx page on an on-premises server. Every on-prem Exchange version is now end-of-life, and ProxyShell and ProxyNotShell are both on the KEV list. An OWA login on the public internet in 2026 is an unpatchable liability waiting for the next chain.
  • Jenkins. The X-Jenkins version header on a public controller. CVE-2024-23897 is an unauthenticated arbitrary-file read that escalates to RCE, and a public Jenkins is almost never intentional, it's a build server that drifted onto the internet.
Day 0Pre-auth CVE lands on CISA KEV
Day 1Internet-wide scanners sweep for the login path
Day 2Your appliance answers at the known URL
Day 4Exploited before your patch window opens
Mass exploitation of these devices runs on a clock measured in days. Discovery is automated; you don't get to be obscure.

What actually closes it

The fix is not a header or a config flag. It's a decision about what belongs on the internet, and these split cleanly into two piles.

For the ones that have no business facing the public, MOVEit and GoAnywhere admin consoles, an on-prem OWA, a Jenkins controller, the answer is to take them off the internet. Put them behind your VPN, an identity-aware proxy, or an IP allowlist, so the login page that scanners hunt for simply doesn't answer a stranger. A management console reachable only from inside your network is a console no internet scan can find.

For the ones that must face the internet because that is their job, your actual VPN gateway, the discipline is different and unforgiving:

# A FortiGate / Citrix / Ivanti gateway on the public internet
# running a firmware version a cycle or two behind
#
# -> on CISA KEV, mass-scanned, pre-auth exploitable
# -> the login page is the attack surface, not the wall
An internet-facing appliance is a standing commitment to same-week patching, not a set-and-forget box.

The non-negotiable is the patch SLA. An internet-facing appliance is a promise to keep it current the same week a fix ships, because the gap between disclosure and mass exploitation is now measured in days, sometimes hours. And after you patch a box that was exposed and vulnerable, assume it may already have been touched: check for the web shells, rogue admin accounts, and symlink backdoors these campaigns leave behind, because the update closes the door without evicting whoever already walked through it.

The thing a scan settles is the first and most important one: is the login page even reachable. SurfaceCheckr requests the known portal path for each of these appliances and reports a hit only when the device's own unforgeable marker comes back, the CitrixAGBasic string, the Ivanti welcome body, the OWA logon form, the X-Jenkins header. It reads what the appliance volunteers about its identity and stops cold there. It never submits the login, never sends an exploit, never tests the CVE, because confirming the box is on the internet is the entire job, and the rest would cross from looking into attacking. If you want the wider frame, everything an outsider maps about you before touching the backend is the pillar this sits in, and the Certificate Transparency logs that expose forgotten subdomains are often how an attacker finds the appliance hostname in the first place.

Read next

Find it before someone else does.

Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.