Five critical Fortinet CVEs in 28 months is not a streak of bad luck

In June 2023, Bishop Fox scanned internet-facing FortiGate appliances and found that 69% were still unpatched against CVE-2023-27997, a pre-auth heap overflow nicknamed XORtigate. That was the second critical SSL-VPN vulnerability in six months. Three more have followed since. All five are pre-authentication. All five are in CISA’s Known Exploited Vulnerabilities catalog. All five are ransomware-linked. Fortinet serves over 775,000 customers. At that scale, every critical CVE lands on tens of thousands of networks, and Fortinet has had five.

The five CVEs, briefly

The cluster splits neatly into two attack surfaces, both internet-exposed by design.

The SSL-VPN daemon (sslvpnd), 2022 to 2024. CVE-2022-42475 (December 2022): heap buffer overflow from a numeric truncation error. CVE-2023-27997 (June 2023): heap overflow in the pre-auth path, where a bounds check compares hex string length against decrypted byte count, meaning an attacker can overflow because hex strings are twice the binary length. CVE-2024-21762 (February 2024): out-of-bounds write via crafted HTTP requests. Same daemon, same privilege level (root), same outcome (remote code execution). All CVSS 9.8. FortiOS uses jemalloc with predictable LIFO allocation and no heap hardening, so exploitation is not theoretical. It is reliable.

The management plane, 2025. CVE-2024-55591 (January 2025): the Node.js WebSocket module at /ws/cli/ accepts any value as local_access_token because the REST API authenticates based on the request appearing to come from localhost. Result: unauthenticated super-admin CLI access. CVE-2025-24472 (March 2025, CVSS 8.1): an attacker who knows upstream and downstream device serial numbers can forge CSF proxy requests the API accepts as legitimate fabric peer traffic. Same outcome, slightly higher attack complexity because the serial numbers are a prerequisite. Both share a single advisory and a single patch (FortiOS 7.0.17).

Three heap overflows in one daemon. Two authentication bypasses in the management plane. The common thread is not the bug class. It is the attack surface: internet-exposed, handling attacker-controlled input, running as root, written in C/C++ without modern memory-safety primitives, on an opaque operating system with less external audit than commodity software.

Who showed up

The actors changed over time. The entry point did not. Mandiant attributed CVE-2022-42475 to UNC3886, a Chinese state-sponsored group that deployed BOLDMOVE, a custom RAT built specifically for FortiGate hardware. BOLDMOVE could disable logging, manipulate elog files, and create reverse shells. The Dutch military intelligence services confirmed with high confidence that Chinese actors also deployed a separate RAT called COATHANGER via the same CVE against the Netherlands Ministry of Defence. Approximately 20,000 FortiGate devices were compromised globally.

By 2025, the actors had shifted. Forescout identified Mora_001, a LockBit-linked operator sharing a Tox messaging ID with LockBit operators, deploying SuperBlack ransomware (a modified LockBit 3.0 build) via CVE-2024-55591 and CVE-2025-24472. Arctic Wolf documented the “Console Chaos” campaign in four phases: scanning, reconnaissance, account creation, credential harvesting. Zero-day exploitation began mid-November 2024, two full months before Fortinet published its January 14, 2025 advisory.

State actors got patient access. Ransomware operators got fast money. The appliance served both equally well.

Patching did not end it

In April 2025, Fortinet disclosed that attackers who had exploited the three SSL-VPN CVEs had placed symbolic links in the language files directory, connecting the user filesystem to the root filesystem. Read-only access to /etc/, configurations, credentials. The symlinks survived patching. You could upgrade to the fixed version and the attacker’s foothold would persist, untouched, because the vulnerability was closed but the backdoor was not.

CERT-FR confirmed a “massive wave of attacks” dating to early 2023. Shadowserver counted 16,620 compromised devices globally as of mid-April 2025. Asia had 7,886. Europe had 3,766. North America had 3,217. Fortinet addressed the symlink in later releases. Then, in February 2026, ITRES Labs published a bypass of the symlink removal patch itself (CVE-2025-68686), continuing the cycle. Patch the vulnerability. Discover the persistence mechanism. Patch the persistence mechanism. Discover the bypass. The treadmill has not stopped.

”Responsible radical transparency”

Fortinet published a press release in May 2024 claiming “responsible radical transparency” as a corporate value. The external record is less flattering.

CVE-2022-42475 was patched in November 2022 and disclosed in December, after exploitation had been running since October. Olympe Cyberdefense published independently, forcing the disclosure. CVE-2023-27997 was patched June 8, 2023 and disclosed June 13; watchTowr reproduced the exploit from the patch diff before the advisory shipped. CVE-2024-21762 was disclosed during the same week Fortinet told a researcher that two new FortiSIEM CVEs were “NVD errors,” then reversed course when the researcher published the confirming email. CVE-2024-55591 had two months of zero-day exploitation before the January 2025 advisory. CVE-2025-24472 was patched in January alongside CVE-2024-55591 but not publicly disclosed until February 11. CSO Online called it another instance of silent patching.

The pattern is consistent: ship the patch, delay the advisory, let defenders infer urgency from the version number rather than from the severity of the threat. This is not transparency. This is information asymmetry dressed up in a press release. Sophisticated actors diff patches. The people who need the advisory most, the under-resourced teams running aging FortiGate hardware at the network edge, are the last to know.

The structural problem

This is not unique to Fortinet. Ivanti has 16 exploited KEV entries since 2024. Palo Alto Networks has 10, including the CVSS 10.0 CVE-2024-3400. Cisco has 8 exploited KEV entries since 2024. The perimeter appliance class is broken industry-wide.

What distinguishes Fortinet is market density. Over 50% of global firewall shipments by unit volume. When you sell more edge devices than anyone else, your bugs become everyone’s problem. CISA, FBI, and Five Eyes partners published formal guidance in June 2024 urging migration from VPN appliances to Zero Trust and SASE architectures. The NSA published edge device security guidance in February 2025. In February 2026, CISA gave federal agencies 18 months to identify and purge unsupported edge devices. The policy apparatus is not being subtle about where this is heading.

Fortinet has begun deprecating SSL-VPN on low-memory hardware and removed SSL-VPN tunnel mode entirely in FortiOS 7.6.3. They have added firmware integrity validation and IMA filesystem checking. They have not committed to a memory-safe language migration for sslvpnd or a change to their silent-patch disclosure practice. The steps they are taking say they know the attack surface is irredeemable. The steps they are not taking say they are not ready to say so publicly.

What to do with this

If you run FortiGate, upgrade to the April 2025 target versions (7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16). A single upgrade to 7.0.17 on the 7.0.x branch patches CVE-2024-55591, CVE-2025-24472, and removes the symlink backdoor.

Then assume prior compromise. Check for symlinks in /data/lib/locale/ and /var/www/sslvpn/locale/. Audit all admin accounts and look for 6-character random alphanumeric names. Rotate every credential stored on or transiting the device: admin passwords, VPN user credentials, LDAP bind accounts, RADIUS secrets, certificate private keys. Restrict management interfaces to internal or out-of-band networks. Disable SSL-VPN if it is not operationally required. Fortinet’s own product trajectory telegraphs that they consider it irredeemably risky.

Treat Fortinet advisories as day-zero events. The gap between exploitation start and public advisory is documented at weeks to months. PatchDay Alert tracks KEV additions the day they land, which in Fortinet’s case has consistently been the first reliable signal that something is wrong.

The persistence mechanism survived patching. The patch bypass survived the persistence fix. And the vendor’s disclosure practice still ensures that the people diffing firmware updates are not the people who need the advisory most. Fortinet is not having a bad year. They are running a codebase that keeps producing the same class of failure on the same internet-facing daemon, and responding to each instance by shipping the fix quietly enough that sophisticated actors learn about it before their own customers do.