Is Fortinet That Bad?

Hard-coded credentials, weak encryption, and other vulnerabilities outlined in the OWASP Top 10 aren’t minor oversights—they are critical failures in secure software design. These issues, as repeatedly seen in Fortinet products, highlighting poor coding practices exposing entire networks to exploitation. For example, features like “magic strings” or hardcoded keys, which were introduced at the request of customers, represent a complete disregard for fundamental security principles that later made it into their global code base. These aren’t just bugs; they are systemic flaws that undermine trust in the product and put organizations at risk. I critique Fortinet not to single them out unfairly but to emphasize the importance of secure coding practices in protecting users from preventable threats. Security isn’t just about fixing vulnerabilities—it’s about building systems that don’t introduce them in the first place.

Here are some examples:

• Breaking the Fortigate SSL VPN Attacking SSL VPN - Part 2: Breaking the Fortigate SSL VPN | Orange Tsai
• Remote Password Change Vulnerability https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability
• Fortinet FortiSIEM Hardcoded SSH Key Full Disclosure: Fortinet FortiSIEM Hardcoded SSH Key
• Hard-coded password raises new backdoor eavesdropping fears Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears - Ars Technica
• Some Fortinet products shipped with hardcoded encryption keys Some Fortinet products shipped with hardcoded encryption keys | ZDNET
• Multiple Fortinet products use a weak encryption cipher \ “XOR”\ and hardcoded cryptographic keys Weak Encryption Cipher And Hardcoded Cryptographic Keys In Fortinet Products - SEC Consult
• This write up from Fortinet : “it was also disclosed and fixed in May 2019 that FortiOS included a “magic” string value that had been previously created at the request of a customer to enable users to implement a password change process when said password was expiring. That function had been inadvertently bundled into the general FortiOS release” https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability
• CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive | Horizon3.ai
• XORtigate: Pre-authentication Remote Code Execution on Fortigate VPN (CVE-2023-27997) Lexfo's security blog - XORtigate: Pre-authentication Remote Code Execution on Fortigate VPN (CVE-2023-27997)
• The critical vulnerabilities include CVE-2024-21762, an out-of-bounds write vulnerability in SSLVPNd that could allow remote unauthenticated attackers to execute arbitrary code or commands on Fortinet SSL VPNs via specially crafted HTTP requests. Critical Fortinet FortiOS CVE-2024-21762 Exploited | Rapid7 Blog
• Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) NVD - CVE-2024-54041
• Missing authentication for critical function in FortiManager Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575
• “Authentication bypass in Node.js websocket module” Calling this an authentication bypass is generous as there WAS NOT ANY authentication. PSIRT | FortiGuard Labs

Many years ago I tested a Fortinet firewall and did not like it. I do not regret that decision after seeing this.

From Florian Roths Twitter regarding their latest disclosure
https://x.com/cyb3rops/status/1910767749221036539

Now it’s Fortinet’s turn. Their latest advisory details how a threat actor used known vulns to plant a symbolic link on FortiGate devices, maintaining read-only access even after patching. Classic post-exploitation persistence.

They mention this symbolic link multiple times but don’t give a single IOC. No path. No filename. No idea where it points. Just “trust us, we’ll clean it.”

In some firmware versions, the symlink gets removed during upgrade. In others, the AV/IPS engine does it — if it’s licensed and enabled. And many customers don’t run that.

They probably avoided sharing the actual symlink to “protect” the vulnerability. But the thing was already exploited in the wild. At this point, not publishing indicators doesn’t help defenders — it just shields Fortinet from scrutiny.

This isn’t responsible transparency. It’s invisible incident response.

If a symbolic link shows compromise, publish it. Anything less is just vendor-controlled damage control.

New POC for CVE-2025-32756

Based on this nice write up from Horizon3 here are the security failures
OWASP A5:2021 – Security Misconfiguration
OWASP A3:2021 – Injection (Command Injection via crafted POST)
OWASP A1:2021 – Broken Access Control (Unauthenticated in 2025 really?)

I bought into the mess one time, salesman/demo sold the moon, but delivered a wheel of cheese.

Issue from the starting gate, would NOT negotiate with any < 1G connections (Common on printers, and other network devices where the extra speed and HW cost is pointless), They would link, and drop seconds later. A couple days on the horn with support, this was apparently a FW issue, they had a patch it had just not made it into release. Next was dropping fiber trunks, inexplicably, just stop working, reboot would fix with no indication of what went wrong. Several same conditions so ruled out fiber and modules. An eventual FW fix made that go away but it was 1.5 years later.

The web UI was robust but buggy, it would often misreport devices, have functions that would not work (VLAN tagging), that would have to go through a few close browser try again cycles. Eventually just gave up and learned the terminal syntax, which was STILL buggy but less so.

Multiple PSU failures in switches, and a few other issues. Literally before the systems were even out of warranty they were on the to replace list. The killer was the switch that failed its PSU twice UNDER warranty, and then a third time two weeks after, of course not addressed/explained and NOW no longer under warranty, half the price of the switch to replace. When it came time to renew support, at effectively re-buying the system every 4 years. I called it quits and just put in netgear managed switches, still running to this day AFAIK.

The firewall became just an over-bloated switch controller pending replacement of the whole system network wide, all switches.

My take. They had a great idea, and a good head start to make a dent in an industry, then like UI, they got too big too fast and the focus became much more about sales, image, and profit 'till dawn… than stable product and support.

Outgrew themselves, never caught up, and since they were heavily bought into, many got stuck there. So popularity coupled with feature drive over sanity, lead to too unsustainable a product for me to take seriously anymore.

FortiWeb is marketed to protect against OWASP Top 10 threats including SQL injection. It’s literally its job. CVE-2024-5987 just dropped and it’s a SQL injection in FortiWeb itself.
You can’t make this up.

Is Fortinet Aware?

“While patch notes for FortiWeb 8.0.2 don’t include a reference or mention of any resolved vulnerabilities, the results from our internal testing labs show that 8.0.2 is mysteriously patched for this mysterious vulnerability.”

Full write up from Watchtowr about this issue:

Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) and MySQL running as root:

@LTS_Tom I need to keep this list bookmarked. We see so many potential clients begging us for Fortinet products. Sometimes they have argued with us against our recommendations.

A new Fortinet mess

Key points:

• The flaws stem from “improper verification of cryptographic signatures” meaning that a maliciously crafted SAML message (used in SSO authentication) could be accepted even though it’s forged. That gives attackers a way to bypass normal login checks.
• The vulnerability affects several Fortinet products: in particular, the report mentions that FortOS, FortiProxy, FortiSwitchManager (for CVE-2025-59718) and FortiWeb (for CVE-2025-59719) are impacted.
• Importantly: Fortinet noted that FortiCloud’s SSO login feature is not enabled by default on devices that are not registered with FortiCare.
• When an administrator registers a device with FortiCare (Fortinet’s support/licensing system), there is an option/toggle called “Allow administrative login using FortiCloud SSO” if that toggle is left enabled, then the device becomes vulnerable to the bypass, until patched or the setting is disabled.

At this point, i think they do this intentionally. There is no way they are THAT incompetent. What a mess.

I wonder if they go through any security audits. I also wonder how they are still a company. I guess people and businesses don’t really care about any of this if it is easy to use.

Literally anything else you can get your hands on. Ubiquiti for example.

Whatever i recommend, you are going to find history of vulnerabilities in it.

As I said in the Fortient video, it’s about what those vulnerabilities are not simply that they occured.

Fortinet is not fast at fixing things

Timeline
14 August 2025 – Reported vulnerabilities to Fortinet PSIRT
14 August 2025 – Confirmed receipt by Fortinet PSIRT
16 September 2025 – Fortinet reproduces findings
5 November 2025 – We inquire on timelines as 90 days is approaching
5 November 2025 – Fortinet PSIRT responds detailing 4 of 5 main branches of FortiSIEM are patched but 1 branch has not yet received the patch, and will miss a typical 90-day disclosure timeline
5 January 2026 – We inquire again on timelines as it has now been 144 days
5 January 2026 – Fortinet PSIRT responds that they hope to fix last branch and publish CVE by January patch cycle
13 January 2026 – Fortinet PSIRT advisory released
13 January 2026 – This blog post after 151 days since initial reporting

After dealing with many issues, this is what I have observed with my clients—mostly medical clinics. In many cases, Fortinet firewalls are installed by software vendors, especially EMR or CHS software companies. I won’t name them.

Whenever we try to discuss replacing the firewall with a better option, such as WatchGuard or another solution that is more reliable and easier to manage, they do not allow it. Instead, clinics are threatened that if they change the firewall, they will no longer receive support.

The interesting part is that, in many clinics, these firewalls are kept unlicensed and are essentially doing nothing—working only as basic routers with no security detection enabled.

I just wanted to share my experience. We are also forced to keep all client devices on the same network. We are not allowed to create VLANs because they are not interested in giving us access or helping us with proper network segmentation.

Clients are unaware of all this and continue operating with a flat network, where cameras, printers, IoT devices, and all other systems are on the same network with no segregation. I honestly don’t know what to say.

I’ve never had this issue with customers I supported, but they were under a managed services contract so I would have been responsible for any issues anyway. If they are a break/fix customer I can see why they want things as simple as possible. In the end, I just setup things the way I thought they should be setup since that’s part of what they paid for.

Wow

Fortinet has confirmed a new, actively exploited critical FortiCloud single sign-on (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, and says it has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions.
The flaw allows attackers to abuse FortiCloud SSO to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability.
The confirmation comes after Fortinet customers reported compromised FortiGate firewalls on January 21, with attackers creating new local administrator accounts via FortiCloud SSO on devices running the latest available firmware.
The attacks were initially thought to be through a patch bypass for CVE-2025-59718, a previously exploited critical FortiCloud SSO authentication bypass flaw that was patched in December 2025.
Fortinet admins reported that the hackers were logging into FortiGate devices via FortiCloud SSO using the email address cloud-init@mail.io, then creating new local admin accounts