Fortinet VPN with default certificate exposes 200,000 businesses to hack According to network security platform provider SAM Seamless Network, over 200,000 businesses that have deployed the Fortigate VPN solution with default settings. This choice could allow an attacker to present a valid SSL certificate and carry out man-in-the-middle (MitM) attacks on employees’ connections. “Surprisingly (or not?), we quickly found that under default configuration the SSL VPN is not as protected as it should be, and is vulnerable to MITM attacks quite easily.” reads the analysis published by SAM Seamless Network. “The Fortigate SSL-VPN client only verifies that the CA was issued by Fortigate (or another trusted CA), therefore an attacker can easily present a certificate issued to a different Fortigate router without raising any flags, and implement a Man-In-The-Middle attack. Experts pointed out that the Fortigate SSL-VPN client only verifies that the CA was issued by Fortigate or by another trusted CA, this allows an attacker to present a certificate issued to a different Fortigate router to carry out a man-in-the-middle attack. The researchers set up a compromised IoT device that initiates MITM attack using ARP Poisoning, then Forticlient initiates VPN connection. The compromised IoT device serves a signed Fortinet certificate extracted from legacy credentials and forwards the credentials to the original server while stealing them in the middle and spoofs the authentication process. The main problem is related to the use of default self-signed SSL certificates by organizations. The Fortigate router comes with a default SSL certificate that is signed by Fortinet, which is a self-signed certificate that includes the router’s serial number as the server name for the certificate. Fortinet recommends users to manually replace the default certificate and make sure that the connections are protected from MitM attacks.