Fortinet Targeted for Unpatched SSL VPN Discovery Activity
Last Updated: 2021-06-12 17:32:44 UTC
by Guy Bruneau (Version: 1)
Over the past 60 days, I have observed scanning activity to discover FortiGate SSL VPN unpatched services. Fortinet has fixed several critical vulnerabilities in SSL VPN and web firewall this year from Remote Code Execution (RCE) to SQL Injection, Denial of Service (DoS) which impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall (WAF) products . Two weeks ago, US-CERT  released an alert re-iterating that APT actors are looking for Fortinet vulnerabilities to gain access to networks. Additional information to look for signs of this activity available here.
Fortinet Scanning Activity
Here is a sample of what can be seen in the logs:
20210611-053716: 192.168.25.9:8443-126.96.36.199:58521 data
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0\r\nAccept-Language: en-US,en;q=0.5
Guy Bruneau IPSS Inc.
My Handler Page
gbruneau at isc dot sans dot edu