Fortinet's Security Crisis: Why Does Nobody Care That Your VPN Is a Nation-State Playground?

Here's a question that should keep every director awake at night: what happens when the device meant to protect your network becomes the primary way attackers get in?

Not hypothetically. Actually.

Because that's precisely what's happened with Fortinet, the company that sells firewalls and VPNs to 79% of the Forbes Global 2000. Between February 2023 and now, Fortinet has racked up a security record so catastrophic that cyber insurers charge double the premiums for businesses using their kit. Chinese intelligence services have stolen configuration files from 20,000 organizations worldwide. The same core vulnerability has been exploited three separate times in two years.

And yet Fortinet just posted record profits, 50% revenue growth, and continues to dominate the enterprise firewall market.

I'm Mauven MacLeod, and I spent years working UK government cyber programmes before joining Noel at The Small Business Cyber Security Guy. This Fortinet situation represents everything wrong with how we approach cybersecurity governance. It's not a technical problem. It's a market failure, a regulatory gap, and a catastrophic misalignment of incentives that puts your business at risk while nobody with the power to fix it seems to give a damn.

Let me explain why this matters, how it happened, and what it means for UK directors who think their "enterprise-grade security" is actually protecting them.

The Same Vulnerability Exploited Three Times in Two Years

Imagine you own a building with a specific type of lock on every door. One day, burglars work out how to pick that lock. You call a locksmith, who replaces all the locks with supposedly better ones. Six months later, burglars pick the new locks using almost the exact same technique. You replace them again. A year after that, it happens a third time.

At what point do you question whether your locksmith knows what they're doing?

That's precisely what happened with Fortinet's SSL VPN, the technology thousands of organizations use to let employees access company networks remotely. In December 2022, attackers exploited a vulnerability called CVE-2022-42475. Fortinet patched it. In June 2023, attackers exploited CVE-2023-27997 (nicknamed "XORtigate"). Fortinet patched it. In February 2024, attackers exploited CVE-2024-21762.

All three vulnerabilities were fundamentally the same type of attack, affecting the same piece of software, allowing attackers to take complete control without even logging in. Security researchers at LEXFO, who discovered the second vulnerability, said they "remain doubtful Fortinet ever ran a proper security assessment on the appliance, considering the number and quality of vulnerabilities found from 2019 to today."

This isn't bad luck. This is technical debt.

Let me explain what that means in plain English, because it's the core of why this keeps happening.

When software companies are racing to get products to market, they make shortcuts. They write code quickly, maybe borrow chunks from older projects, perhaps don't test every edge case because deadlines are looming. That's normal. Every software company does it.

The problem comes later. When security researchers find a vulnerability, companies have two choices:

Option 1 (Quick Fix): Find the specific line of code causing the problem and patch just that bit. Ship the update. Move on. This takes days or weeks.

Option 2 (Proper Fix): Step back and ask "why does this code have this type of vulnerability at all?" Then redesign that entire component using secure coding practices. This takes months.

Guess which option companies choose when they're under pressure from customers, regulators, and attackers?

Technical debt is what happens when you keep choosing Option 1. You patch the symptom, not the disease. The vulnerable code is still there, just with duct tape over the specific hole researchers found. Six months later, someone finds a different way to exploit the same dodgy code. You patch that hole. Repeat.

It's like having a leaky pipe in your house. You can keep wrapping tape around each new leak as it appears, or you can replace the pipe. Fortinet keeps reaching for the tape.

And we know this because security researchers at LEXFO, who discovered one of these vulnerabilities, said bluntly: "We remain doubtful Fortinet ever ran a proper security assessment on the appliance, considering the number and quality of vulnerabilities found from 2019 to today."

That's professional security researchers saying "they're not fixing the underlying problem."

And here's the kicker: all three vulnerabilities made it onto CISA's Known Exploited Vulnerabilities list, meaning US government agencies were ordered to disconnect any affected devices immediately. The UK's National Cyber Security Centre issued similar urgent warnings. Yet tens of thousands of organizations worldwide are still running unpatched Fortinet devices right now.

The Silent Patching Scandal

In cybersecurity, there's an established responsible disclosure process. When someone discovers a vulnerability, they tell the vendor privately. The vendor creates a patch. Then, on an agreed date, the vendor publicly announces the vulnerability and releases the patch simultaneously, giving defenders a fighting chance to protect themselves before attackers can exploit it.

Fortinet has developed a different approach: silent patching.

They release security updates without telling anyone what they fix. Organizations applying routine updates have no idea they're closing critical security holes. Administrators schedule these "routine" updates for the next convenient maintenance window, perhaps three weeks away. Meanwhile, attackers reverse-engineer the patch, work out what vulnerability it fixes, and exploit it against everyone who hasn't updated yet.

The most egregious example: in October 2025, researchers discovered attackers exploiting a critical FortiWeb vulnerability. Fortinet had silently patched it on October 28. They didn't release a public advisory until November 14, seventeen days later. During those seventeen days, attackers had a roadmap to compromise anyone running older versions while defenders thought everything was fine.

VulnCheck's Caitlin Condon called this "an established bad practice that enables attackers and harms defenders." Rapid7 noted it "gives attackers a head start on attack development while keeping vulnerable organisations in the dark."

Fortinet's defence is that they "diligently balance commitment to the security of customers and culture of responsible transparency." Let me translate: they're more worried about their reputation than your security. Because if they announced vulnerabilities publicly, security teams would understand patches were urgent. Silent updates look like routine maintenance. Guess which one gets applied faster?

Chinese Intelligence Treats Fortinet as Critical Infrastructure

When nation-state intelligence services pick their tools, they choose reliability over innovation. That's why China's cyber espionage units have standardized on Fortinet as a preferred entry point.

The Dutch Military Intelligence Service revealed that Chinese hackers compromised 20,000 FortiGate systems worldwide, stealing configuration files that contain everything needed to access corporate networks: passwords, VPN credentials, firewall rules, network diagrams, digital certificates. They did this using a vulnerability Fortinet disclosed in December 2022, but the Chinese had been exploiting it for at least two months before Fortinet even admitted it existed.

Here's what makes this terrifying: the attackers installed backdoors that survive firmware updates. You can install Fortinet's security patch, wipe the device, rebuild it from scratch, and the Chinese backdoor persists. The Dutch MIVD warned that "even if a victim installs security updates from FortiGate, the state actor continues to keep this access."

Google's Mandiant documented another Chinese group (UNC5820) exploiting FortiManager to steal credentials from over 50 organizations, starting in June 2024. Fortinet didn't publish a public advisory until October, four months later. Security researcher Kevin Beaumont was blunt: "I'm not confident that Fortinet's narrative that they're protecting customers by not publicly disclosing a vulnerability is protecting customers. This vulnerability has been under widespread exploitation for a while."

This isn't opportunistic hacking. This is systematic intelligence infrastructure. China's Volt Typhoon campaign, which CISA confirmed involves pre-positioning inside US and UK critical infrastructure for potential destructive attacks, uses Fortinet vulnerabilities as a primary entry method. These aren't random criminals. These are professional intelligence officers with operational timelines measured in years.

Cyber Insurers Know, But They're Not Saying It Loudly

Here's where it gets interesting from a governance perspective.

Coalition, one of the major cyber insurance companies, published data in their 2024 Cyber Claims Report showing that businesses with internet-exposed Fortinet devices were twice as likely to experience an insurance claim. Think about that. The insurance industry, which exists to quantify risk mathematically, has determined that Fortinet users are twice as risky as the baseline.

Another insurer documented that organizations using on-premises VPNs (like Fortinet's) faced up to 6.8 times the risk of cyberattack compared to cloud-based alternatives. At-Bay reported that remote access tools were the initial entry vector for 80% of ransomware claims, with self-managed VPNs accounting for 63% of those.

The insurance industry has the data. They know Fortinet devices correlate with higher claim rates. They know organizations aren't patching fast enough. They know nation-states are systematically exploiting these products.

So why aren't they screaming about it?

Because the cyber insurance market is competitive, premiums are falling, and large Fortinet customers are also large insurance buyers. Publicly criticizing vendors creates litigation risk. Attribution is complex. And frankly, it's easier to address risk through underwriting mechanics (requiring MFA, external scanning, patching SLAs) than through public advocacy that might piss off major accounts.

But make no mistake: the insurance industry is pricing in Fortinet risk. You're paying for it through higher premiums. They're just not telling you why.

Why Companies Keep Buying Fortinet Despite Everything

If Fortinet's security record is this bad, why are they posting 50% revenue growth?

Three reasons: economics, vendor lock-in, and the uncomfortable truth that everyone else has similar problems.

Fortinet is cheap. Entry-level hardware costs £550 versus £800-2,800 for Palo Alto competitors. Total cost of ownership runs about £1.60 per protected Mbps versus £5.60 for alternatives. When procurement departments compare quotes, Fortinet wins on price-performance every time.

Vendor lock-in is brutal. Once you've deployed Fortinet's Security Fabric across FortiGate firewalls, FortiManager for centralized management, FortiAnalyzer for logging, FortiSwitch for network infrastructure, FortiClient for endpoints, you're not just buying products; you're buying an ecosystem. Staff get certified (Fortinet's NSE programme). Policies get written for FortiOS. Integrations get built.

Ripping all that out and replacing it with Palo Alto or Cisco costs £4,000-40,000 in professional services alone, plus 6-12 months of migration risk where something might break. For a business running critical operations on that network, the switching cost can exceed the perceived risk of staying put.

And here's the really uncomfortable bit: Palo Alto has its own zero-day exploits. So does Cisco. So does SonicWall. The 2025 Verizon Data Breach Investigations Report found that edge device exploitation jumped from 3% to 22% of breaches in a single year. This is an industry-wide problem, not a Fortinet-specific one.

So organizations make a rational (if depressing) calculation: if all the alternatives have vulnerabilities, and Fortinet is cheaper, and we've already invested in the ecosystem, why spend the money and operational risk to migrate?

What This Means for Owners and Directors

Let me be direct about your legal exposure.

Under UK law, if your organization suffers a data breach because you didn't patch a known vulnerability that's been on government warning lists for months, you're not having a bad day. You're having a career-ending regulatory investigation.

The ICO can fine you up to £17.5 million or 4% of global turnover under GDPR. That's not theoretical. They've issued those fines before, and they specifically look at whether organisations took reasonable steps to prevent breaches. "We didn't know we needed to patch" isn't a defence when the NCSC published urgent advisories.

The Computer Misuse Act 1990 creates criminal liability for facilitating unauthorised access. The Network and Information Systems Regulations 2018 impose specific security requirements on critical infrastructure operators. The Corporate Manslaughter and Corporate Homicide Act 2007 can apply where gross negligence leads to harm.

Directors are personally liable. Not the company. You.

And here's what nobody tells you: cyber insurance doesn't cover everything. Lloyd's of London mandated state-backed attack exclusions from March 2023. If Chinese intelligence services breach your network using a Fortinet vulnerability (which they demonstrably do), and Lloyd's determines it's a nation-state attack (which it demonstrably is), your policy might not pay out.

So you're left with the ICO fine, the remediation costs, the lost business, and potentially personal liability, all because you trusted that "enterprise-grade" meant "actually secure."

The Systemic Dysfunction Nobody's Fixing

This isn't just about Fortinet. It's about a broken system that creates perverse incentives.

Vendors can release buggy code because switching costs protect their market position. Silent patching happens because transparency hurts stock prices more than it helps customers. Insurance companies have the data to drive change but can't act on it without commercial risk. Procurement departments optimize for cost, not security. Directors don't understand the technical details well enough to ask the right questions. Regulators haven't mandated security standards for network equipment vendors.

And so the cycle continues. Nation-states exploit vulnerabilities that should never have existed. Organizations run unpatched systems because patching is operationally risky. Vendors prioritize growth over security debt. Insurance premiums tick upward. Everyone accepts the risk because changing it requires coordination across industry, government, and markets that nobody seems capable of organizing.

The NCSC published Zero Trust guidance specifically because they know perimeter security is broken. The principle is literally "don't trust any network" including your own VPN. SASE (Secure Access Service Edge) architectures are growing at 17% CAGR as organizations migrate away from on-premises VPNs entirely. But adoption is slow because migration is expensive and complex.

What Actually Needs to Happen

From my perspective, having worked government cyber programmes, here's what needs to change:

Regulators need to treat network equipment like medical devices. You can't just sell a pacemaker without security certification. Why can you sell enterprise firewalls that protect critical infrastructure without meaningful security standards?

Insurance companies need to publish vendor risk ratings. You want market mechanisms to work? Give buyers information. If every renewal notice said "Your Fortinet devices increase your premium by 40%," procurement decisions would change overnight.

The ICO needs to start prosecuting gross negligence. Make an example of a director who ignored months of NCSC warnings and got breached. Not to be cruel, but because personal liability is the only thing that reliably changes board-level behaviour.

Procurement frameworks need security metrics. Total cost of ownership should include "cost of increased cyber insurance premiums" and "regulatory fine exposure from vendor vulnerability history."

Until those things happen, we're stuck in a system where doing the wrong thing is economically rational, and doing the right thing costs more than organizations are willing to pay.

And that's why, despite everything I've just told you, Fortinet will continue to dominate the market, Chinese intelligence will continue to steal your configurations, and directors will continue to trust that "enterprise-grade" means "fit for purpose."

It doesn't.

Never has.

Now Here's The Bit That Actually Helps You

Look, I've spent 2,500 words explaining why the system is broken. But you still have to operate within it. So here's how you turn this mess into competitive advantage.

If you're a managed service provider or IT consultancy bidding against competitors who've built their business on Fortinet stacks, you've got ammunition now. Coalition's insurance data showing 2x claim rates isn't marketing fluff. It's actuarial mathematics. When you're in a pitch meeting and someone asks why your solution costs more, you don't talk about features. You talk about risk transfer. "Our competitors' infrastructure carries demonstrably higher insurance premiums because insurers have quantified the breach probability. We can provide references from our insurer confirming our lower-risk classification."

That's not a technology argument. That's a CFO argument.

If you've migrated to Zero Trust architecture and SASE, stop selling it as an IT upgrade. Frame it as regulatory compliance and risk reduction. "We've eliminated the vulnerability class that the NCSC identified as causing 22% of breaches industry-wide. Our perimeter devices aren't accessible from the internet, which means we're not exposed to the attack vector that compromised 20,000 organizations last year." That language works in board papers and insurance renewals.

And if you're procuring security services or managed IT providers, ask one simple question during the selection process: "What network equipment do you use for your own infrastructure, and what's your patching SLA for vulnerabilities on the NCSC's urgent warnings list?" Watch how many can't answer coherently. The ones who can are probably worth the premium they're charging.

Getting Budget By Making Directors Uncomfortable (The Right Way)

Right, so you're convinced this matters. Your board isn't. Here's how you change that.

Directors don't care about CVE numbers or heap overflows. They care about personal liability and career risk. So you frame this as a governance issue, not a technology issue.

Start with the bit that makes them sit up: "The NCSC has issued multiple urgent warnings about vulnerabilities in our current VPN infrastructure being actively exploited by Chinese intelligence services. Our cyber insurance provider has classified these devices as elevated risk. If we suffer a breach from an unpatched vulnerability that's been on government warning lists, the ICO investigates the board personally for negligence under GDPR. Not the company. Us."

Let that hang in the air for a moment.

Then you present the numbers: "Our current patching SLA is 45 days from vendor advisory to production deployment. The NCSC guidance for urgent warnings is 14 days. We're not meeting that. Our insurance renewal is coming up, and carriers are specifically asking about edge device patching practices. This is becoming an underwriting issue, not just a technical one."

Now you've got their attention because you've translated "technical debt" into "personal legal exposure" and "insurance premiums we actually pay."

Then you give them options with total cost of ownership including insurance impacts: "Option 1 is improving our patching process and accepting ongoing risk. Option 2 is infrastructure migration that eliminates this vulnerability class entirely. Option 2 costs more upfront but Coalition's data suggests it reduces breach probability significantly, which affects our risk profile for the next 3-5 years of insurance renewals."

That's how you get budget. Not by explaining the technology. By explaining the liability.

Make it about their personal risk, not the company's abstract security posture. That's what actually moves boards. That's how governance actually works.

And that's why this Fortinet situation is so bloody frustrating to watch from the outside.

Because the data exists. The incentives are clear. The solutions are available. The governance mechanisms work when you use them properly.

We're just choosing not to implement them.

Mauven MacLeod is co-host of The Small Business Cyber Security Guy podcast. Prior to joining the podcast, Mauven worked on UK government cyber security programmes and regulatory compliance frameworks. Opinions expressed are his own and do not represent those of any former employers.