Hard-coded credentials, weak encryption, and other vulnerabilities outlined in the OWASP Top 10 aren’t minor oversights—they are critical failures in secure software design. These issues, as repeatedly seen in Fortinet products, highlighting poor coding practices exposing entire networks to exploitation. For example, features like “magic strings” or hardcoded keys, which were introduced at the request of customers, represent a complete disregard for fundamental security principles that later made it into their global code base. These aren’t just bugs; they are systemic flaws that undermine trust in the product and put organizations at risk. I critique Fortinet not to single them out unfairly but to emphasize the importance of secure coding practices in protecting users from preventable threats. Security isn’t just about fixing vulnerabilities—it’s about building systems that don’t introduce them in the first place.
Here are some examples:
- Breaking the Fortigate SSL VPN Attacking SSL VPN - Part 2: Breaking the Fortigate SSL VPN | Orange Tsai
- Remote Password Change Vulnerability https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability
- Fortinet FortiSIEM Hardcoded SSH Key Full Disclosure: Fortinet FortiSIEM Hardcoded SSH Key
- Hard-coded password raises new backdoor eavesdropping fears Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears - Ars Technica
- Some Fortinet products shipped with hardcoded encryption keys Some Fortinet products shipped with hardcoded encryption keys | ZDNET
- Multiple Fortinet products use a weak encryption cipher \ “XOR”\ and hardcoded cryptographic keys Weak Encryption Cipher And Hardcoded Cryptographic Keys In Fortinet Products - SEC Consult
- This write up from Fortinet
: “it was also disclosed and fixed in May 2019 that FortiOS included a “magic” string value that had been previously created at the request of a customer to enable users to implement a password change process when said password was expiring. That function had been inadvertently bundled into the general FortiOS release” https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability - CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive | Horizon3.ai
- XORtigate: Pre-authentication Remote Code Execution on Fortigate VPN (CVE-2023-27997) Lexfo's security blog - XORtigate: Pre-authentication Remote Code Execution on Fortigate VPN (CVE-2023-27997)
- The critical vulnerabilities include CVE-2024-21762, an out-of-bounds write vulnerability in SSLVPNd that could allow remote unauthenticated attackers to execute arbitrary code or commands on Fortinet SSL VPNs via specially crafted HTTP requests. Critical Fortinet FortiOS CVE-2024-21762 Exploited | Rapid7 Blog
- Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) NVD - CVE-2024-54041
- Missing authentication for critical function in FortiManager Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575
- “Authentication bypass in Node.js websocket module” Calling this an authentication bypass is generous as there WAS NOT ANY authentication. PSIRT | FortiGuard Labs