Many cybersecurity professionals started January 2024 and January 2025 responding to exploitation of critical vulnerabilities in Fortinet’s software.
A look at CISA’s “Known Exploited Vulnerabilities” catalogue gives a hint of the product security problem that Fortinet seems to have – or at least the extent to which hackers seem able to sniff out problems in its wares.
There’s CVE-2024-55591, (authentication bypass); CVE-2024-47575, (missing authentication); CVE-2024-23112 (format string – “typically trivial to find via static analysis”); CVE-2023-48788, (SQL injection – ditto); CVE-2023-27997, (buffer overflow); CVE-2022-40684; (authentication bypass); many of these have been exploited in ransomware campaigns.
For a company that supplies “over 50% of the firewalls worldwide” as the company’s leaders put it on a Q4 earnings call; this is a non-trivial issue.
“Fortinet security solutions themselves have become critical infrastructure, protecting the critical infrastructure” – Fortinet CFO Keith Jensen.
Yet as Fortinet closed its financial year with a Q4 earnings call on February 6, this did not seem to have the faintest impact on results – total revenues were up 17% and it added a stunning 6,900 new logos during the quarter.
And in fact, CEO Ken Xie took a moment to proudly announce that Fortinet was the only cybersecurity company in the top 50 of Forbes “Most Trusted Companies in America” list. Take that, critics. (Forbes lists have issues.)
Fortinet, of course, is not the only edge appliance (firewall/SSLVPN etc.) provider seeing its products come under sustained probing by hackers looking for an unprotected-by-EDR beachhead onto enterprise networks.
A family of advisories by the Five Eyes intelligence community earlier in February emphasised that “cyber threats actors have increasingly exploited vulnerabilities in edge devices to compromise organizations worldwide…
"Five Eyes partners have been warning about this threat since early 2024. Targeting edge devices has now become a tactic of choice for many cyber threat actors, including state-sponsored actors," they added.
The agencies, including the NSA and UK’s NCSC urged IT buyers to “explicitly demand product security as part of the procurement process.”
Buyers should, they said, “apply caution when selecting edge device vendors. This includes reviewing a vendor’s history of patch releases and response times to newly discovered vulnerabilities. They should assess the vendor’s transparency in disclosing security vulnerabilities and their history of addressing them… [and] track deliveries and maintain assurance that malicious actors have not tampered with edge devices.”
Their detailed mitigation guidance for practitioners is here.
Fortinet has promised to abide by CISA’s “Secure by Design” principles, saying that the company conducts “static application security testing (SAST) and software composition analysis built into its build processes, dynamic application security testing (DAST), vulnerability scanning, and fuzzing prior to each release, as well as penetration testing and manual code audits” – and said its own team found 80% of 2023’s Fortinet bugs.
Customers do not seem to have been put off by Fortinet product exploitation. It may simply have prompted many to upgrade to more modern products from the same partner: “In the fourth quarter, we saw early upgrade movement with large enterprises, both on buying plans and actual purchases. We expect the momentum to build as we move into the second half of 2025 [presenting] a substantial upsell opportunity for SASE switches, access points and SecOps solutions” said its CFO.
Among those 6,400 new logos were some whales. As CFO Jensen noted: “In a high seven-figure deal, a large energy company expanded its partnership with us by signing its first enterprise agreement to protect this global critical infrastructure. This customer secures its infrastructure using FortiGates across approximately 1,000 sites, spanning branch locations, data centers and cloud environments,” he said on the Q4 call.
It really is trusted.
It’s just trusted to generate work by incident response professionals too – and perhaps, perhaps, perhaps that’s simply not a Fortinet problem.
