A significant security flaw in FortiClient VPN’s logging mechanism has been uncovered, exposing enterprises to the risk of undetected brute-force attacks. The vulnerability, discovered by cybersecurity researchers at Pentera, relates to how Fortinet’s VPN servers handle authentication and authorization processes. When a user attempts to log in, Fortinet’s servers provide one of three responses: valid credentials, failed authentication, or an error due to excessive failed attempts. However, the critical issue lies in the fact that only successful login attempts that result in an established VPN session are logged. If an attacker successfully authenticates but stops short of establishing the session, their access attempt remains undetected, leaving a significant blind spot in the logs.
This flaw allows attackers to quietly validate leaked credentials without triggering alarms or alerting security teams. While failed login attempts are duly recorded, successful brute-force attempts that do not reach the session creation phase go unnoticed. As a result, attackers can validate numerous leaked credentials against the VPN server without raising suspicion. Incident response (IR) teams, relying on log data, may incorrectly assume that all brute-force attempts have failed, missing critical opportunities to reset passwords or launch an investigation into potential compromises.
The inability to log successful authentication attempts is a critical vulnerability for organizations relying on Fortinet VPN solutions. Attackers can use this flaw to validate accounts in bulk, either to exploit them for unauthorized access or to sell the credentials on dark web marketplaces. This creates an ongoing risk, as validated credentials can be reused at a later time or across multiple services. The security lapse also hinders the ability of IT teams to quickly respond to suspicious activity, potentially allowing malicious actors to establish a persistent foothold in an organization’s network.
Experts urge Fortinet to enhance its logging mechanisms to record both successful and failed authentication attempts at the earliest stage. Organizations using Fortinet VPNs are advised to implement Multi-Factor Authentication (MFA) to add an extra layer of protection against brute-force attacks. Additionally, enterprises should frequently audit VPN configurations, monitor logs for anomalies, and employ Web Application Firewalls (WAFs) to block brute-force attempts. Until a fix is rolled out, companies can limit login attempts, configure block durations, and use custom SSL ports to reduce exposure. This vulnerability highlights the need for robust security measures and vigilant monitoring practices to safeguard against emerging threats.
