You might expect that five years would be long enough for critical vulnerabilities to disappear from active use, yet the reality of IT operations is rarely so straightforward. This week brings the unwelcome news that over 10,000 Fortinet firewalls remain exposed on the open internet, still susceptible to a two-factor authentication (2FA) bypass bug first documented back in 2018.
Despite Fortinet having released patches years ago, many of these devices remain unpatched, presenting a considerable security risk for the organisations relying on them. These lingering vulnerabilities are not simply a relic of forgotten assets; they persist thanks to a tangle of operational challenges that will be familiar to most IT professionals. It hardly constitutes an ideal legacy for those responsible for keeping infrastructure secure.
The primary risk involves remote authentication. In simple terms, attackers can sidestep the second authentication factor—meant to serve as a protective barrier—and potentially gain immediate access to management interfaces. For devices serving as edge firewalls, this scenario offers attackers a direct route to critical systems, provided they possess the skills to exploit it.
Several factors continue to stand in the way of remediation. Some devices are legacy hardware, overlooked and left behind after infrastructure migrations. Patch management remains tactical rather than proactive; too often teams adopt an ‘if it isn’t broken, don’t reboot it’ approach. Inadequate asset inventory practices frequently obscure what is truly at risk. Additionally, change freeze policies—originally designed to safeguard uptime—often become a permanent fixture, impeding timely updates. The result is a situation where, despite the best intentions, patching and maintenance so easily slip down the priority list.
While it might be tempting to attribute all this to overstretched IT teams, the challenge is more complex. Communication from vendors, the practicalities of patch deployment, and conflicting business imperatives all play their part in sustaining these exposed systems.
So what can be done? First, if you manage FortiGate appliances or any edge firewall, schedule an immediate audit of your configurations and public-facing interfaces. Treat patching as a critical security task—it is rarely a question of ‘if’, but ‘when’ an unpatched system is targeted. And remember, two-factor authentication is not a cure-all; even robust controls are undermined by unresolved vulnerabilities.
For any organisation, from multi-national enterprises to smaller businesses, leaving essential infrastructure unmaintained is an open invitation to threat actors. Allowing five-year-old vulnerabilities to persist on your perimeter is neither defensible nor necessary.
Original story: https://www.bleepingcomputer.com/news/security/over-10-000-fortinet-firewalls-exposed-to-ongoing-2fa-bypass-attacks/
