Last updated: April 26, 2026
Fortinet FortiGate and FortiManager have produced critical CVEs at a sustained cadence — CVE-2022-40684 (FortiOS auth bypass), CVE-2024-23113 (FortiManager RCE), CVE-2024-47575 (FortiManager FortiManager auth bypass and RCE). Each has been mass-exploited; each has the same pattern. This article covers the recent Fortinet CVE history, the IoCs, and the strategic question for organisations heavily invested in Fortinet’s stack.
The recent CVE roster
| CVE | Year | Product | Type |
|---|---|---|---|
| CVE-2022-40684 | 2022 | FortiOS / FortiProxy | Authentication bypass |
| CVE-2023-27997 | 2023 | FortiOS SSL-VPN | Heap overflow → RCE (XORtigate) |
| CVE-2024-21762 | 2024 | FortiOS SSL-VPN | Out-of-bounds write → RCE |
| CVE-2024-23113 | 2024 | FortiManager | Format string → RCE |
| CVE-2024-47575 | 2024 | FortiManager | Missing auth → RCE |
The pattern: FortiOS or FortiManager, internet-facing component, pre-auth or low-auth path to RCE.
What attackers do post-exploit
- Add a hidden administrative account — survives reboot, persists across patches
- Modify firewall rules to permit attacker IP ranges
- Pivot to internal network — FortiGate is by definition between the internet and your network
- Harvest VPN-user credentials from session logs
- Establish C2 callback through the firewall using legitimate-looking traffic
IoCs (composite from Fortinet PSIRT advisories)
- Unknown super-admin accounts; check via
diagnose sys top+ admin user list - Modified
config globalentries — scheduled command execution, custom syslog destinations - Outbound traffic from the FortiGate’s mgmt interface to non-admin IPs
- FortiManager DB modifications outside of legitimate change windows
- SSH key entries in admin authorisation lists not corresponding to known admins
Mitigation pattern
- Apply patches within 24-72 hours of FortiGuard advisories. Critical CVEs do not wait for change-control.
- Run Fortinet’s IoC hunt scripts post-disclosure.
- If IoCs match, factory-reset and rebuild from clean configuration backup.
- Restrict management interface to specific IP ranges (out-of-band management network).
- Disable SSL-VPN if not used; if used, restrict to specific countries / IP ranges.
- Forward Fortinet logs to SIEM; alert on admin-account modifications.
The strategic question for Fortinet-heavy environments
Many Indian enterprises standardised on Fortinet over the past decade. The CVE cadence creates a real question: continue investing in Fortinet (with hardened patching SLA) or diversify?
The case for continued investment:
- Migration cost is high (rules, integrations, staff training)
- Other vendors have similar CVE rates
- Fortinet’s response has improved (faster patches, ICT-style tools, better customer comms)
The case for diversification:
- Multi-vendor strategy reduces blast radius from any single vendor’s CVE
- Cloud-native security (AWS Network Firewall, Azure Firewall, Cloudflare Magic Transit) reduces appliance dependency
- ZTNA reduces the importance of the perimeter firewall
Most organisations end up doing both — keeping Fortinet for legacy network security while adopting ZTNA + cloud-native for new architectures. The transition is multi-year.
Compliance angle
- RBI Cyber Framework — patching SLA on critical infrastructure explicitly required
- CERT-In April 2022 — exploitation of disclosed network device CVEs reportable
- SEBI CSCRF — perimeter security as part of Q-RE/MII baseline
The takeaway
Fortinet CVEs are part of a broader pattern: edge-network devices are a high-priority attack surface that demands aggressive patching SLA and post-CVE IoC hunting. Whether you stay on Fortinet, switch, or diversify, the operational discipline is the same — 7-day patch SLA, IoC hunting playbook, management interface segregation, and ZTNA migration where feasible.
Get a VAPT scoping call
Senior practitioner-led VAPT — not a checklist run by juniors. CVSS-scored findings, free retest, attestation letter. India's SMBs and SaaS teams.