Your Firewall Is on the Internet by Design — And That's the Problem

Edge security appliances — firewalls, VPN gateways, SSO portals — are exposed to the internet by design. That's what makes them a recurring target for mass exploitation: when an authentication-bypass flaw lands in one, attackers can find every exposed instance with internet-wide scanning in hours, not weeks.

Fortinet's product line is the textbook example. CVE-2022-40684, an authentication-bypass vulnerability in FortiOS, FortiProxy, and FortiSwitchManager, let an unauthenticated remote attacker perform administrative operations via crafted requests. It was exploited in the wild and added to CISA's Known Exploited Vulnerabilities catalog — a pattern that has repeated across edge vendors (Cisco, Citrix, Ivanti, SonicWall, Palo Alto) before and since. The specific CVE changes; the shape of the problem doesn't.

Why MSPs should care more than most

The appliance you deploy to protect a network is itself a piece of attack surface. And edge-device compromise has a nasty multiplier: a configuration file lifted from one breached firewall can contain hashed credentials and VPN settings that seed credential reuse across an entire managed fleet. One exposed admin interface can become many.

What to do

Patch fast — but patching assumes you know what you have. Restrict management interfaces so they're not reachable from the public internet, enforce MFA on remote access, and continuously confirm which appliances and admin portals actually answer from outside. Watch the vendor PSIRT feeds and CISA's KEV catalog for edge-device entries and treat them as drop-everything.

An external attack-surface analysis maps the edge devices and exposed admin interfaces across your clients — before an attacker scans them first.