If you manage any kind of network infrastructure, the past few weeks have been rough. Multiple actively exploited vulnerabilities in Fortinet FortiGate firewalls and Ivanti Connect Secure VPN appliances have sent security teams scrambling, and CISA has added several of these to their Known Exploited Vulnerabilities catalog. This isn’t theoretical risk — these are being used in the wild right now by sophisticated threat actors.
Having dealt with my share of emergency patching cycles over three decades, this wave feels particularly concerning. Not because the individual vulnerabilities are unprecedented, but because of what they collectively reveal about the state of perimeter security.
What’s Being Exploited#
The Fortinet situation involves a series of vulnerabilities that allow attackers to gain and maintain persistent access to FortiGate devices. The most critical is an authentication bypass that allows remote attackers to gain super-admin privileges through crafted requests to the Node.js websocket module. What makes this particularly nasty is that attackers have been creating local admin accounts and modifying firewall configurations to establish persistent access — meaning even after you patch, the backdoor might still be there.
Fortinet published advisories and patches, but evidence suggests that threat actors had been exploiting some of these vulnerabilities before patches were available. Several security researchers have documented cases where attackers maintained access for weeks before detection.
On the Ivanti side, Connect Secure (formerly Pulse Secure) VPN appliances continue to be targeted. New vulnerabilities have been disclosed that allow unauthenticated remote code execution. Given Ivanti’s track record over the past year — this is at least the third major exploit wave targeting their VPN products — many organizations are seriously reconsidering their reliance on these devices.
The Perimeter Security Paradox#
Here’s the fundamental problem: the devices we rely on to secure our network perimeters are themselves some of the most vulnerable components in our infrastructure. Firewalls, VPN concentrators, and edge gateways run complex software stacks with web interfaces, management APIs, and custom protocols. They’re accessible from the internet by design. And when they’re compromised, attackers get access to everything behind them.
This isn’t a new observation, but the frequency and severity of these incidents should force a reckoning. The traditional network security model — put a hardened perimeter device at the edge and trust everything behind it — has been failing for years. Zero-trust architecture isn’t just a buzzword; it’s becoming a survival requirement.
The irony is thick: we keep buying expensive security appliances to protect our networks, and those appliances keep becoming the primary attack vector. At some point, the industry needs to ask whether the perimeter appliance model itself is the problem.
What to Do Right Now#
If you’re running affected Fortinet or Ivanti devices, here’s what I’d recommend based on the guidance from CISA and the security research community:
Immediate actions:
- Apply available patches. This should go without saying, but the number of unpatched devices visible on Shodan suggests it needs repeating.
- Review device configurations for unauthorized admin accounts, modified firewall rules, or unexpected VPN tunnels.
- Check logs for indicators of compromise (IoCs). Both Fortinet and multiple security vendors have published detailed IoC lists.
- If you find evidence of compromise, assume the device is fully owned. Reset to factory defaults, update firmware, and rebuild the configuration from known-good backups.
Longer-term considerations:
- Implement network segmentation that doesn’t rely solely on perimeter devices. Even if your firewall is compromised, lateral movement should be limited.
- Deploy monitoring that can detect anomalous behavior from infrastructure devices — unusual DNS queries, unexpected outbound connections, configuration changes outside maintenance windows.
- Evaluate whether your VPN architecture could be replaced or supplemented with identity-aware proxy solutions (like BeyondCorp-style access) that reduce the attack surface.
The Patch Gap Problem#
One pattern that keeps repeating in these incidents is the window between vulnerability disclosure and actual patching. Security researchers and vendors discover the flaw, a patch is released, advisories go out — and then weeks pass before many organizations apply the fix. Attackers know this and increasingly automate exploitation to hit vulnerable devices in the gap.
Part of the problem is operational: patching a firewall or VPN appliance often means a maintenance window, potential connectivity disruption, and testing to ensure nothing breaks. For organizations running 24/7 operations, that’s a significant coordination effort. But the alternative — leaving a known-exploited vulnerability unpatched — is far worse.
Automation helps here. If you’re not already using infrastructure-as-code practices for your network devices, this is a good motivation to start. Being able to rapidly rebuild a device configuration from code, test it in a staging environment, and deploy it with confidence makes emergency patching much less painful.
My Take#
I’ve been doing this long enough to see the same patterns repeat. In the late 2000s, it was web application firewalls getting owned. In the 2010s, it was SSL VPN appliances. Now it’s the next generation of the same fundamental architecture — complex, internet-facing security appliances that become single points of failure when compromised.
The organizations that weather these storms best are the ones that don’t trust any single component completely. Defense in depth isn’t just a theoretical framework — it’s the practical difference between “we patched and moved on” and “we’re rebuilding our entire network because the firewall was a backdoor for three months.”
If this spring’s exploit wave motivates you to accelerate your zero-trust roadmap, then at least some good came from it. Start small — mutual TLS between services, identity-aware access controls, microsegmentation in your most critical environments. The perimeter isn’t going to protect you. Your architecture has to protect itself.