FortiOS - Bypassing FortiGate security profiles via SNI in Client Hello


An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiOS may allow a privileged attacker to disclose sensitive information via SNI Client Hello TLS packets.


Affected Products

All FortiOS versions are impacted by this vulnerability.


Given that there is no systematic way to detect all exfiltration attempts and to exhaustively enumerate all possibilities offered by exfiltration channels, Fortinet has addressed the issue by releasing a set of IPS signatures:

  1. Python/SNICat.A!exploit

  2. SNIcat.Data.Exfiltration.Tool