Security Alert: FortiGate Backdoor Requires Immediate Patching

Fortinet announced on April 10, 2025, that a threat actor used known vulnerabilities that were previously patched to implement read-only access to vulnerable FortiGate devices via a backdoor. This means that even if a business updated its device to a FortiOS version that addressed the original vulnerabilities, this symbolic link might have been left behind, allowing the threat actor to maintain access.

Although the vulnerabilities (CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762) used by the threat actor were previously patched, applying those patches does not remove the backdoor. Fortinet released updated firmware that ensures the backdoor is removed if it exists on a business’ device. We urge businesses to upgrade to the appropriate patch for their version as soon as possible.

What’s the concern?

FortiGate devices are next-generation firewalls (NGFWs), a network technology that combines a conventional firewall with other network device filtering functions, such as an application firewall using in-line deep packet inspection (DPI) and an intrusion prevention system (IPS).

Fortinet published a blog post explaining that a threat actor installed a read-only backdoor on some FortiGate devices. While the backdoor is read-only, it can likely be used to find credentials that can be used to log into the device with administrative privileges. 

Although the Fortinet vulnerabilities used by the threat actor were previously patched, applying those patches does not remove the backdoor.

Since the backdoor was installed when the system was in a previously vulnerable state, and the previous patches did not remove the functionality required for the backdoor to be operational, firmware patches before the versions contained in the Fortinet advisory are still affected.

Who's at risk?

Coalition has seen a rise in attacks on boundary devices, such as virtual private networks (VPNs) and firewalls. Over the past year, there has been a significant emergence of new critical vulnerabilities impacting firewall devices, such as Fortinet, but we’ve also observed vulnerabilities in Ivanti VPNs and SonicWall firewall devices. 

In Coalition's Risky Tech Ranking, a quarterly list of technology providers whose products were vulnerable to exploitation by threat actors, Fortinet was ranked in the top 20 riskiest technology providers at #16. The list was designed to help businesses make better-informed decisions about the technologies they adopt by understanding cyber risk. 

Over the past year, there has been a significant emergence of new critical vulnerabilities impacting firewall devices, such as Fortinet, but we’ve also observed vulnerabilities in Ivanti VPNs and SonicWall firewall devices. 

We evaluated over 7,000 vendors for the ranking and cross-referenced them with 42,000 vulnerabilities found on the National Institute of Standards and Technology (NIST)’s National Vulnerability Database (NVD). Our research found 208 vulnerabilities within Fortinet’s products, making them one of the most vulnerable vendors when weighted by their exploitability.

For this specific ForiGate backdoor, the majority of the Coalition policyholders impacted were small and midsize businesses by revenue (nearly 90%), and most of the businesses had fewer than 250 employees (79%). The most impacted industries were professional services (15%) and healthcare providers and services (10%).

How do businesses address this?

The newly released patches are the first to detect and remove this backdoor if it exists. We urge businesses to upgrade to the appropriate patch for their version of FortiOS.

Businesses should update to one of the following patch versions as soon as possible:

• 6.4.16

• 7.0.17

• 7.2.11

• 7.4.7

• 7.6.2

Businesses should treat all configurations as potentially compromised and follow the recommended recovery steps. Fortinet encourages customers to leverage its FortiOS best practice resources. 

How is Coalition responding?

Coalition is committed to quickly and efficiently notifying our customers of any vulnerabilities within their networks. On April 11, we proactively notified impacted policyholders about this vulnerability through Coalition Control®, our unified cyber risk management platform.

For any questions about this vulnerability or assistance with mitigation, please contact Coalition’s Security Support Center (securitysupport@coalitioninc.com).

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over, nor assumes responsibility or liability for the content, privacy policy, or practices of any such third-party websites.