Zero-Day Exploitscritical

Fortinet VPN Zero-Days: Nation-States Exploit Unpatched VPN Gateways for Years

Multiple zero-day vulnerabilities in Fortinet and Pulse Secure VPN appliances — the gateways used to protect remote access to corporate networks — were exploited by Chinese and Russian nation-state actors for years before patches were deployed.

Fortinet / Pulse Secure / Defence Contractors·2021·2 min read

Background

SSL VPN appliances became critical infrastructure during the COVID-19 pandemic, enabling remote work for millions. Fortinet FortiOS and Pulse Secure (Ivanti) Connect Secure were among the most widely deployed. Vulnerabilities in these appliances gave attackers access to corporate networks without needing any credentials.

The Attack

Multiple critical vulnerabilities accumulated: CVE-2018-13379 (FortiOS path traversal allowing credential extraction), CVE-2019-11510 (Pulse Secure arbitrary file reading), and CVE-2021-22893 (Pulse Secure zero-day). CISA documented that all three were among the most actively exploited vulnerabilities in 2020 and 2021. Chinese APT actors exploited Pulse Secure CVE-2021-22893 against US Defence Industrial Base organisations specifically, planting backdoors and using legitimate VPN credentials to move through networks undetected. The exploitation often occurred months before patches were available.

Response

CISA and FBI issued joint advisories listing Fortinet and Pulse Secure vulnerabilities as top exploited weaknesses. Mandiant published detailed analysis of the Pulse Secure zero-day exploitation. Ivanti (Pulse Secure's parent) released emergency patches. CISA ordered all federal agencies to remediate immediately.

Outcome

Hundreds of thousands of Fortinet and Pulse Secure VPN appliances remained unpatched for months after patches were available. FBI notifications to victim organisations found that many were unaware their VPN appliances had been compromised. The case demonstrated that network perimeter devices (VPNs, firewalls) are extremely high-value zero-day targets.

Key Takeaways

  1. VPN and firewall appliances must be patched with the highest urgency — they are the front door to every corporate network
  2. Expose as little VPN management interface to the internet as possible — use out-of-band management networks
  3. Even after patching, check for persistence mechanisms — attackers plant backdoors before patch deployment
  4. Network access logging on VPN appliances should be treated as critical security telemetry

How to Prevent This

All guides
beginner

Run a continuous asset inventory — you cannot patch what you do not know exists

One of the most common root causes of successful vulnerability exploitation is an unmanaged, forgotten system that never received patches. The Equifax breach involved an application that security teams did not know was internet-facing. The Fortinet VPN zero-days were exploited on appliances that network teams had lost track of. A continuously updated asset inventory — covering servers, virtual machines, cloud instances, network appliances, and containers — is the foundation of any patch programme. Scan your network weekly for new assets. Any new internet-facing asset must be tracked and added to the patch programme before deployment.

See: Fortinet VPN Zero-DaysPatch Management
FortinetPulse SecureVPN zero-daynation-stateremote access

More in Zero-Day Exploits

2021critical

Log4Shell: A Single Java Library Puts 3 Billion Devices at Risk

2 min readZero-Day Exploits
2023critical

MOVEit Zero-Day: One SQL Injection Flaw, 2,700 Organisations Breached

2 min readZero-Day Exploits
2010critical

Operation Aurora IE Zero-Day: China Exploits Browser Flaw to Hack Google and 34 Others

2 min readZero-Day Exploits