FortiGate firewalls are everywhere in Australian businesses. Every major IT reseller stocks them, they're competitively priced, and they handle VPN for tens of thousands of employees across the country. They're also the most consistently exploited network appliance on the planet right now, and the exploitation record goes back seven years.
This is not a one-off story. It's a pattern of SSL VPN flaws, disclosed years apart, that share the same basic shape: unauthenticated, remote, critical severity, exploited before or immediately at the time of disclosure. The and its Five Eyes partners have issued advisories naming Fortinet products multiple times. CISA's Known Exploited Vulnerabilities catalogue has Fortinet entries from 2021 through May 2025. And the finding from April 2025 that should concern you most is that patching the underlying vulnerabilities may not be enough — attackers have been leaving behind a persistence mechanism that survives firmware updates.
The CVE record, in order
CVE-2018-13379 — CVSS 9.8. A path traversal flaw in FortiOS SSL VPN that let an unauthenticated attacker download the system file containing active VPN session credentials. Disclosed in 2019. In November 2021, a joint CISA/FBI advisory documented Iranian government-sponsored APT actors exploiting this vulnerability in 2021. Two years after it was patched. The ACSC republished that advisory. Shodan scans years later still found exposed devices running unpatched firmware.
CVE-2022-42475 — CVSS 9.8 (NVD). A heap-based buffer overflow in FortiOS SSL-VPN allowing unauthenticated remote code execution. Mandiant documented that exploitation began around October 2022, roughly two months before Fortinet issued its public advisory in December 2022. A quiet patch (FortiOS 7.2.3) went out in November without any security disclosure. By the time organisations knew to patch, attackers had a two-month head start.
CVE-2023-27997 — CVSS 9.8. Another pre-authentication heap overflow in the SSL-VPN component, affecting FortiOS and FortiProxy. The researcher who found it, Charles Fol of Lexfo, described it plainly: reachable pre-authentication, on every SSL VPN appliance. Fortinet acknowledged "limited active exploitation" at disclosure. CISA added it to the KEV catalog the following day.
CVE-2024-21762 — CVSS 9.8 (NVD). An out-of-bounds write in the sslvpnd daemon. Fortinet disclosed on 8 February 2024 that it was "potentially being exploited in the wild" — the hedged language they use when they know exploitation is happening but haven't disclosed specifics. CISA added it to the KEV catalog the next day, confirming exploitation.
CVE-2024-23113 — CVSS 9.8. A format string vulnerability in the fgfmd daemon, not the SSL-VPN component this time but the FortiGate-to-FortiManager daemon, affecting FortiOS 7.0 through 7.4 and FortiProxy. CISA added it to the KEV catalog in October 2024 with a mandatory remediation deadline of 30 October 2024.
CVE-2024-55591 and CVE-2025-24472 — CVSS 9.6. Authentication bypass vulnerabilities disclosed in January and February 2025 respectively. Arctic Wolf traced exploitation of CVE-2024-55591 to as early as November 2024. A new group, Mora_001, used both as their initial access vector, deploying SuperBlack ransomware built on the LockBit builder.
CVE-2025-32756 — CVSS 9.6. A stack-based buffer overflow in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. Fortinet's own Product Security Team observed exploitation on a live FortiVoice device before the patch was released. CISA added it to the KEV catalog on 14 May 2025, one day after Fortinet's advisory.
The persistence problem
In April 2025, Fortinet disclosed something that hadn't been public: attackers who had exploited CVE-2022-42475, CVE-2023-27997, or CVE-2024-21762 had planted a symlink inside the SSL-VPN language file directory, a pointer connecting that directory to the root filesystem of the device. The symlink survived firmware updates. Even after organisations applied the patches for those original vulnerabilities, attackers retained read access to the device's root filesystem — including credential material and key files.
The Canadian Centre for Cyber Security confirmed approximately 14,000 FortiGate devices globally were affected. CISA issued a corroborating alert on 11 April 2025.
If you run FortiOS and your device was internet-accessible during the 2022–2024 window, patching is not enough. You need to check whether the symlink is present. Fortinet's April 2025 advisory includes the specific path and detection steps.
Who is doing this
These are not random opportunists. Iranian government-sponsored APT groups account for the oldest documented cases. Chinese state-sponsored actors — specifically Volt Typhoon — have exploited FortiGate for initial access in critical infrastructure campaigns. Akira ransomware has used FortiGate SSL-VPN as a regular entry point. LockBit affiliates have done the same. As of early 2025, Mora_001, a new group using LockBit's builder, is specifically targeting FortiGate management interfaces.
Several of these groups conduct pre-disclosure exploitation. They develop their own knowledge of vulnerabilities before the vendor publishes a patch. For organisations relying on a patch cycle, the gap between exploitation and patch availability has been weeks to months.
Why patching is hard on edge devices
FortiGate appliances sit at the network perimeter and handle all VPN traffic. Patching them requires a maintenance window, testing, and in most organisations, sign-off from stakeholders who cannot tolerate downtime. IT teams running lean — which describes most Australian SMEs — defer edge device patching longer than they would a workstation or server.
The Verizon DBIR and independent security research both show the same pattern: network edge devices get patched more slowly than endpoint software because they carry higher perceived operational risk when touched. The addresses this under Patch OS and Patch Applications: ML2 requires patches for internet-facing systems within two weeks, ML3 within 48 hours for critical vulnerabilities. CVSS 9.8 qualifies as critical. Most organisations are not meeting that threshold.
What to do if you run FortiGate
Start with firmware. Not what was applied last quarter — what is actually running right now. The command "get system status" in the FortiOS CLI will confirm it. Cross-reference against Fortinet's PSIRT advisories at fortiguard.com/psirt and check every CVE listed above.
Then check for the symlink. If your device ran SSL-VPN-enabled firmware during 2022–2024 and was internet-facing, follow Fortinet's April 2025 advisory to verify the SSL-VPN language directory does not contain an unexpected symlink. If you find one, stop. Engage an team before touching anything else. The device is compromised.
If you are still running SSL-VPN, it is worth asking whether you need to. Fortinet has been signalling a move toward IPsec, and for good reason: SSL-VPN is browser-accessible, which is convenient, but it is also the component with the worst vulnerability record by a wide margin. IPsec on FortiGate uses a different code path and has a substantially cleaner CVE history. If your use case can move, that evaluation is worth doing now rather than after the next critical disclosure.
Subscribe to PSIRT alerts. Fortinet issues advisories at fortiguard.com/psirt. You should know about a new critical before your vendor calls you.
The longer-term question — whether FortiGate is the right platform — is harder to answer cleanly. Palo Alto's PAN-OS has its own record, including a critical RCE in early 2024. Sophos Firewall has had serious vulnerabilities too. No perimeter appliance is clean. What matters more than the platform is how your team manages it: are patches applied within Essential Eight timeframes, is PSIRT monitoring in place, and does your vendor disclose exploitation clearly or bury patches without advisory? If those practices are not there, switching vendors does not fix the problem.
The bottom line
Eight confirmed critical vulnerabilities, all actively exploited, spanning 2018 to 2025. A persistence mechanism that survives patching. ACSC republications of Five Eyes joint advisories. Iranian APTs, Chinese state actors, LockBit-derived ransomware. All through the same class of products.
Fortinet is not uniquely terrible, but it is specifically and repeatedly targeted in a way that demands active management, not passive trust in a patched firmware version. If you run FortiGate and you are not monitoring PSIRT advisories, applying critical patches within two weeks, and periodically reviewing your SSL-VPN exposure, you are running a documented risk.
If you want to know where your FortiGate actually stands — firmware version, SSL-VPN exposure, Essential Eight patch posture — we can assess that in a half-day engagement.
Sources: CISA/FBI Advisory AA21-321A · Fortinet PSIRT FG-IR-22-398, FG-IR-23-097, FG-IR-24-015, FG-IR-24-029, FG-IR-25-254 · NVD CVE-2024-23113 · Canadian Centre for Cyber Security advisory (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762) · CISA KEV catalog · Forescout/Mora_001 research · Tenable CVE analysis
