top of page
ryanwilliams74

Challenging the Numbers: A Journey to Validate Vulnerable Device Figures


A man on a computer

The Numbers Game: When Sensationalism Meets Security Reality


In cybersecurity, numbers often speak louder than words. One single stat about the number of vulnerable devices exposed to the internet can send the industry into a frenzy. But what happens when those numbers are blown out of proportion?


Recently, reports have been floating around, claiming tens of thousands of devices are vulnerable and exposed online, all thanks to a known vulnerability. The figures were enough to spark panic, but if you’ve been in the game long enough, you know better than to trust everything at face value.


Curious and sceptical, I decided to put these claims to the test myself. Armed with tools like Shodan, FOFA, and a custom vulnerability scanner, I wanted to see if these numbers would hold up in real-world conditions. As it turns out, they didn’t quite hit the mark.


Are the Reported Numbers Sensationalised?


When the reports hit, many claimed that over 60,000 vulnerable FortiManager devices were wide open, sitting pretty on the internet, waiting to be owned. Sixty thousand? Really? The number seemed excessive. How could that many critical systems be left unpatched, especially in a world where we’re supposedly becoming more aware of security risks?

I wasn’t about to just accept those figures and move on. I needed to see for myself. So, I turned to my trusty tools—Shodan and FOFA—to dig deeper and get a more accurate picture of what was really going on.


Shodan’s Findings: Scratching the Surface


Shodan is the OG of search engines for internet-connected devices, so it was my first stop. I logged in, keyed in the right query to find FortiManager devices using the FGFM protocol (FortiGate to FortiManager), and bam—a list of devices appeared. But that wasn’t enough.


FOFA: A Second Opinion


Next, I hit up FOFA, another powerful search engine. Using a slightly different query, I scoured the net for even more FortiManager devices. Between Shodan and FOFA, I compiled a solid list of devices that could potentially be vulnerable based on their exposure and service setup.


Testing the Vulnerability: Digging Into CVE-2024-47575


Once I had a list of exposed devices, I got to work with vulnerability testing. The target? A known FortiManager vulnerability (CVE-2024-47575). I whipped up a custom scanner to see if these devices could be exploited by leveraging unauthenticated access, bypassing the default factory certs.


I ran scans on 97 devices. The results were interesting, but they didn’t line up with the scary numbers I’d seen reported.


The Real Story: A Far Cry From 60,000


After running my tests, I found the real number of vulnerable devices was way lower than the tens of thousands being thrown around. Here’s what I uncovered:

  • 19.59% of the devices I scanned were confirmed to be vulnerable to CVE-2024-47575.

  • The rest were either patched, protected (thanks to firewalls or connection resets), or simply unreachable.


While a nearly 20% vulnerability rate is still cause for concern, it’s a far cry from the supposed 60,000 exposed devices. My tests show that while vulnerabilities do exist, the numbers might not be as extreme as some would have you believe.


Not Every Exposed Device is a Sitting Duck


Here’s the thing: Just because a device is exposed doesn’t mean it’s vulnerable. Many of the devices I scanned had additional security measures—firewalls, network restrictions, even connection timeouts—that stopped exploitation in its tracks. Those defences were enough to keep attackers at bay, even if the devices were technically exposed to the internet.


So, What’s the Takeaway?


Even if the numbers were inflated, it doesn’t mean security patching is less important or that the vulnerability isn’t severe. If a device is vulnerable, it’s a potential attack vector, plain and simple. But overblown figures can lead to knee-jerk reactions and wasted resources.

Here’s what you should remember:


  • Not all exposed devices are vulnerable: Some devices may be visible but still protected by layered security measures like firewalls or client certs.

  • Client certs matter: While factory certs on FortiManager devices are a problem, physical FortiGates often use device-specific certs, making exploitation tougher.

  • Patching isn’t everything: Even unpatched devices might be safe behind a solid defence setup. Don’t panic before doing a proper risk assessment.

  • Validate the numbers: Just because someone says “60,000 devices exposed” doesn’t mean it’s gospel. Take those figures with a grain of salt, and always run your own tests before drawing conclusions

    .

Keep Monitoring, Stay Sharp


At the end of the day, my scans didn’t show the apocalyptic numbers some reports claimed, but that doesn’t mean we can relax. Vulnerabilities like CVE-2024-47575 are serious business, and continuous monitoring is key to keeping things under control. Sensational numbers make headlines, but real security comes from digging into the data, validating claims, and remediating vulnerabilities where they matter most.


So, what’s the moral of this story? Don’t let overblown news stories drive your decisions. Test with Spartans Security and let us be your informed move force multiplier.

5 views0 comments

Yorumlar


bottom of page