Every few years, a vulnerability comes along that rewrites the conversation. This week, it is FortiBleed — CVE-2024-23113. A critical-severity, unauthenticated, pre-auth remote code execution in the FGFM (FortiGate-to-FortiManager) protocol. CVSS 9.8. And yes, it is being actively exploited in the wild.

I have spent this week on calls. Clients who have FortiGates in production. Clients who thought “we are on the latest firmware, we are safe.” Clients whose management interfaces have been facing the public internet for years because “it is just for the vendor to remote in.”

Here is what I am telling them — no panic, no fluff, just the field response that actually matters.

First: The Upgrade Did Not Fix You

Let me be blunt. If you applied the FortiOS 7.4.6 / 7.2.9 patch on Tuesday and called it done, you have only closed half the door. The vulnerability itself is patched, yes. But here is what most people miss: the exploit chain does not end at code execution. It ends at credential theft. And a patch does not rotate stolen credentials.

If an attacker had already run the exploit against your box before you patched — and the CISA KEV listing confirms active exploitation was underway — then they may already have your admin credentials, your VPN secrets, and your config files. The patch stops future exploitation. It does not undo what happened before you applied it.

This is the single most important point I am making on every call this week: patching is step one. Credential rotation is step two. Do not stop at step one.

The SHA-256 Trap Nobody Clicked Through

Fortinet published the SHA-256 checksums for the patched firmware. Good practice. But here is the trap I keep seeing: teams verify the checksum, upgrade the box, confirm the firmware version in the GUI, and stop there.

They miss the crucial detail in the advisory — the one about admin accounts. The recommendation is not just to upgrade. It is to log in to each managed FortiGate, navigate to the admin settings, and manually rotate every local user password. The SHA-256 hash on the firmware file gives you integrity assurance for the upgrade. It does nothing for backdoors that were installed before the upgrade.

I have walked three clients through this conversation this week alone. One of them had a six-month-old config export sitting on an engineer’s laptop. Another had a shared admin credential used by five different people across three time zones. The patch was applied. The exposure remained.

Why I Moved Management Interfaces Off the Public Internet Years Ago

This is going to sound like hindsight, but I have been saying this for over a decade. Every firewall I touch has its management interface locked to trusted IP ranges or internal management VLANs. Not because I am paranoid — because I have read the threat intel on every major firewall CVE since 2014. The pattern is consistent: the CVEs that get weaponised are the ones that hit exposed management interfaces.

Pulse Secure in 2019. Citrix ADC in 2020. FortiGate SSL-VPN in 2022. And now FGFM in 2024. Every single one was a management-plane vulnerability that required network access to exploit. And every single one became a crisis primarily for organisations that had exposed those interfaces to the internet.

The operators who locked down management access years ago? They are patching on their own schedule this week. The ones who left it open? They are in firefighting mode.

This is not a technical insight. This is operational discipline. And it is the cheapest insurance you will ever buy.

What I Am Telling Clients Right Now

Immediate (this week)

  1. Patch to FortiOS 7.4.6 or 7.2.9 if you have not already. Do this now. Not tomorrow.
  2. Rotate every local administrator password. Every single one. Then audit who has access. If you cannot name every person who can log into your firewall, you have too many admins.
  3. Restrict FGFM access to trusted IPs only. If you use FortiManager, restrict the FGFM source to the FortiManager IP alone.
  4. Check your auth logs. Look for failed and successful logins from unexpected IPs. If logging was not enabled, that itself is a finding.
  5. Verify no rogue admin accounts exist. Cross-check the admin list against your HR records. I have seen ghost accounts from contractors who left two years ago.

This Month

  1. Move every management interface behind a jump host or VPN. If a vendor needs remote access, give them a VPN — not a direct path to your firewall GUI.
  2. Enable audit logging on all config changes. If you cannot see who changed what and when, you are flying blind. Send logs to a central SIEM. Trust me on this — I have spent 30 years watching breaches get missed because the logs were sitting on the compromised device.
  3. Run a credential audit. Same password on the firewall and the NMS? Same on the firewall and the AD domain? That is a breach waiting to cross-pollinate.
  4. Schedule a quarterly rule review. Most firewall rules are three years old and nobody remembers who added them. Clean them up.

This Quarter

  1. Implement management-plane access controls as a standard operating procedure. Not a recommendation — a policy. Documented, audited, enforced.
  2. Evaluate a managed security partner. If your team is stretched to the point where a management interface has been internet-facing for two years, you are not understaffed. You are under-supported. That is what MSSPs exist for.

The Bigger Picture

FortiBleed is not the story. The story is that we keep seeing the same fundamental gaps — exposed interfaces, unrotated credentials, disabled logging — and treating each new CVE as a one-off patching exercise instead of a symptom of a deeper hygiene problem.

The upgrade cycle will never end. There will always be a new CVE, a new patch, a new SHA-256 to verify. What changes the outcome is whether you have the operational discipline in between.

I have been doing this long enough to know that the organisations that treat patch Tuesday as one item on a list of habits — not the entire list — are the ones that sleep through these events. The rest are scrambling every time a CVE hits the news.

This week, I am telling every client: patch, rotate, restrict, log. In that order. Skip none of them. And if you need help locking down your FortiGate fleet, you know where to find me.


— Sanjay Seth. 30+ years in cybersecurity. NOC/SOC operations, managed Fortinet security, and the PrahiX Ora unified platform. Founder and CEO, P J Networks.