Fortinet SSL VPN Decision Presents New Risks

Cost-effective and readily available security solutions are understandably appealing to small and midsize businesses (SMBs) that have limited financial resources and in-house expertise. These solutions are often widely adopted by SMBs seeking to address their cyber risk while minimizing the amount of management and upkeep they require.

Unfortunately, threat actors are keenly aware of which security tools are broadly used and actively target them with the knowledge that SMBs may be less-equipped to fight back against a cyber attack.

Fortinet, a major cybersecurity solutions and network hardware provider, announced it will end support for its SSL VPN technology in an upcoming operating system update. This news puts IT teams and business owners in a challenging situation, forcing them to improve their cybersecurity posture by reconfiguring their devices or moving to another remote access solution altogether.  

At Coalition, we see many businesses that rely on Fortinet SSL VPN devices for secure remote access to their data from the web. Below, we’ll explore some of the challenges with Fortinet VPNs, the evolving cyber threat landscape, and best practices to mitigate risk.

What is an SSL VPN?

A virtual private network (VPN) creates a secure, encrypted connection between a business’ network and the remote VPN user. Businesses often use VPNs to protect sensitive data being accessed remotely from the open internet, preventing anyone who is not an authorized user of that VPN from intercepting or accessing that data. 

A secure sockets layer VPN (SSL VPN) is a specific type of VPN that allows users to access a business network without dedicated software, providing secure, remote access to internal applications and resources over the internet.

To anyone monitoring web activity, web traffic across SSL VPNs appears the same as everyday web traffic — only outsiders can’t fully inspect it. This is what makes SSL VPNs an appealing option to businesses with remote users who frequent hotels, access public Wi-Fi, or use internet service providers that block VPN traffic. 

What makes Fortinet SSL VPNs so risky?

Fortinet is one of the world’s most popular brands of security hardware and solutions. Fortinet products are frequently recommended and resold to third-party security vendors because they’re cost-effective and easy to implement for SMBs.

Fortinet products are frequently recommended and resold to third-party security vendors because they’re cost-effective and easy to implement for SMBs.

Threat actors have increasingly targeted vulnerabilities in Fortinet SSL VPNs. The reason for this focus is threefold: Mandatory web panel exposure, widespread adoption and increased vulnerabilities.

Mandatory web panel exposure

Some security devices offer options to remove login panels from external exposure, but SSL VPN requires a web page to be exposed to the internet to establish the VPN connection via the same protocols that secure web browsers use. It's this exposure that attracts threat actors most when they’re probing to exploit existing or new flaws in authentication mechanisms, or run commands remotely. 

Widespread adoption

Fortinet's business model appeals to managed service providers (MSPs) and SMBs due to its affordability and centralized management capabilities. However, this widespread adoption makes them an attractive target for cyber criminals seeking to attack businesses with fewer resources and less security expertise. Keep in mind that widespread adoption of a security product (or any technology) alone does not make it risky. 

Increased vulnerabilities

The number of vulnerabilities in Fortinet devices has increased significantly in recent years: More than 200 vulnerabilities impacting Fortinet products were published between April 2024 and March 2025. Further, while critical vulnerabilities in their firewalls were at one time identified only a few times per year, Fortinet VPNs now experience new security flaws almost monthly.

The result is an expanding SMB attack surface, where cyber criminals can exploit outdated firmware, weak configurations, or unpatched devices to gain unauthorized access to a business’ network.

More than 200 vulnerabilities impacting Fortinet products were published between April 2024 and March 2025.

Why Fortinet’s announcement presents new risks to SMBs

VPNs and other boundary devices are a double-edged sword for businesses: They often need the technology in place to mitigate the risk of cyber threats and enable secure remote access. Yet, these technologies (especially Fortinet SSL VPN) are preferred targets for attackers.

While SSL VPNs are generally less secure than their alternatives, Fortinet’s announcement that it will cease support for its SSL VPN product virtually guarantees that cyber criminals will target Fortinet’s technology even more in the near future. Attackers will be banking on the fact that businesses, especially SMBs, will be slow to reconfigure their devices or switch to a new remote access solution.

What can businesses do now?

Any remote access solution that’s headed out to pasture can pose frightening risks to IT teams and business owners. However, Fortinet’s decision is a positive move that will reduce risk and improve security for all its users over time.

Businesses using Fortinet SSL VPN are strongly encouraged to determine if their models will be impacted. For those impacted, Coalition recommends moving away from SSL VPN toward less-risky options. As a first step, we recommend discussing the below options with your IT team or IT vendor on what solutions work best for your company's operations, compliance and budget: 

• If you’re already using a client-based VPN connection, consider a cost-effective change and implement an IPSEC VPN in place of your existing SSL VPN using the outlined Fortinet migration plans. This feature does not have the web page component of SSL VPN. However, beware that some hotels, public Wi-Fi, or internet service providers may block these kinds of VPNs

• For enhanced security, choose a zero trust network access approach with your Fortinet device (like the one outlined by Fortinet).

• Seek another option for secure remote access, like those found in the Coalition Control® Marketplace.

• If you’re a Coalition policyholder, submit a request for recommendations on other remote connection solutions. 

Some businesses may unwittingly choose to leave their Fortinet SSL VPN devices unpatched until funds or resources are available to migrate, but should be aware that this choice could significantly increase the risk of a breach and lead to major financial loss exponentially. Rather than wind up in this situation, take action and speak with your IT teams to build a plan today. 

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only.