Is Fortinet That Bad?

Hard-coded credentials, weak encryption, and other vulnerabilities outlined in the OWASP Top 10 aren’t minor oversights—they are critical failures in secure software design. These issues, as repeatedly seen in Fortinet products, highlighting poor coding practices exposing entire networks to exploitation. For example, features like “magic strings” or hardcoded keys, which were introduced at the request of customers, represent a complete disregard for fundamental security principles that later made it into their global code base. These aren’t just bugs; they are systemic flaws that undermine trust in the product and put organizations at risk. I critique Fortinet not to single them out unfairly but to emphasize the importance of secure coding practices in protecting users from preventable threats. Security isn’t just about fixing vulnerabilities—it’s about building systems that don’t introduce them in the first place.

Here are some examples:

• Breaking the Fortigate SSL VPN Attacking SSL VPN - Part 2: Breaking the Fortigate SSL VPN | Orange Tsai
• Remote Password Change Vulnerability https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability
• Fortinet FortiSIEM Hardcoded SSH Key Full Disclosure: Fortinet FortiSIEM Hardcoded SSH Key
• Hard-coded password raises new backdoor eavesdropping fears Et tu, Fortinet? Hard-coded password raises new backdoor eavesdropping fears - Ars Technica
• Some Fortinet products shipped with hardcoded encryption keys Some Fortinet products shipped with hardcoded encryption keys | ZDNET
• Multiple Fortinet products use a weak encryption cipher \ “XOR”\ and hardcoded cryptographic keys Weak Encryption Cipher And Hardcoded Cryptographic Keys In Fortinet Products - SEC Consult
• This write up from Fortinet : “it was also disclosed and fixed in May 2019 that FortiOS included a “magic” string value that had been previously created at the request of a customer to enable users to implement a password change process when said password was expiring. That function had been inadvertently bundled into the general FortiOS release” https://www.fortinet.com/blog/psirt-blogs/fortios-ssl-vulnerability
• CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive | Horizon3.ai
• XORtigate: Pre-authentication Remote Code Execution on Fortigate VPN (CVE-2023-27997) Lexfo's security blog - XORtigate: Pre-authentication Remote Code Execution on Fortigate VPN (CVE-2023-27997)
• The critical vulnerabilities include CVE-2024-21762, an out-of-bounds write vulnerability in SSLVPNd that could allow remote unauthenticated attackers to execute arbitrary code or commands on Fortinet SSL VPNs via specially crafted HTTP requests. Critical Fortinet FortiOS CVE-2024-21762 Exploited | Rapid7 Blog
• Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) NVD - CVE-2024-54041
• Missing authentication for critical function in FortiManager Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575
• “Authentication bypass in Node.js websocket module” Calling this an authentication bypass is generous as there WAS NOT ANY authentication. PSIRT | FortiGuard Labs

Many years ago I tested a Fortinet firewall and did not like it. I do not regret that decision after seeing this.

From Florian Roths Twitter regarding their latest disclosure
https://x.com/cyb3rops/status/1910767749221036539

Now it’s Fortinet’s turn. Their latest advisory details how a threat actor used known vulns to plant a symbolic link on FortiGate devices, maintaining read-only access even after patching. Classic post-exploitation persistence.

They mention this symbolic link multiple times but don’t give a single IOC. No path. No filename. No idea where it points. Just “trust us, we’ll clean it.”

In some firmware versions, the symlink gets removed during upgrade. In others, the AV/IPS engine does it — if it’s licensed and enabled. And many customers don’t run that.

They probably avoided sharing the actual symlink to “protect” the vulnerability. But the thing was already exploited in the wild. At this point, not publishing indicators doesn’t help defenders — it just shields Fortinet from scrutiny.

This isn’t responsible transparency. It’s invisible incident response.

If a symbolic link shows compromise, publish it. Anything less is just vendor-controlled damage control.

New POC for CVE-2025-32756

Based on this nice write up from Horizon3 here are the security failures
OWASP A5:2021 – Security Misconfiguration
OWASP A3:2021 – Injection (Command Injection via crafted POST)
OWASP A1:2021 – Broken Access Control (Unauthenticated in 2025 really?)

I bought into the mess one time, salesman/demo sold the moon, but delivered a wheel of cheese.

Issue from the starting gate, would NOT negotiate with any < 1G connections (Common on printers, and other network devices where the extra speed and HW cost is pointless), They would link, and drop seconds later. A couple days on the horn with support, this was apparently a FW issue, they had a patch it had just not made it into release. Next was dropping fiber trunks, inexplicably, just stop working, reboot would fix with no indication of what went wrong. Several same conditions so ruled out fiber and modules. An eventual FW fix made that go away but it was 1.5 years later.

The web UI was robust but buggy, it would often misreport devices, have functions that would not work (VLAN tagging), that would have to go through a few close browser try again cycles. Eventually just gave up and learned the terminal syntax, which was STILL buggy but less so.

Multiple PSU failures in switches, and a few other issues. Literally before the systems were even out of warranty they were on the to replace list. The killer was the switch that failed its PSU twice UNDER warranty, and then a third time two weeks after, of course not addressed/explained and NOW no longer under warranty, half the price of the switch to replace. When it came time to renew support, at effectively re-buying the system every 4 years. I called it quits and just put in netgear managed switches, still running to this day AFAIK.

The firewall became just an over-bloated switch controller pending replacement of the whole system network wide, all switches.

My take. They had a great idea, and a good head start to make a dent in an industry, then like UI, they got too big too fast and the focus became much more about sales, image, and profit 'till dawn… than stable product and support.

Outgrew themselves, never caught up, and since they were heavily bought into, many got stuck there. So popularity coupled with feature drive over sanity, lead to too unsustainable a product for me to take seriously anymore.