The Fortinet zero-day this week is a good example of how these situations really play out in practice.

If you look past the “critical vulnerability” label, the story is less about the bug itself… and more about exposure, timing, and how quickly things move once something like this is out in the open.

What we know

Fortinet disclosed a zero-day vulnerability affecting FortiOS / FortiGate devices, with reports of active exploitation in the wild. Of course, that alone is enough to get attention.

Fortinet firewalls are widely used across enterprise environments, service providers, and critical infrastructure. These aren’t niche systems; they sit at the edge of networks, often directly exposed to the internet, which makes them a high-value target.

And when something like this comes up, attackers tend to move quickly.

This isn’t a rare scenario

If anything, this fits a broader pattern. According to multiple industry reports:

• ~30% of all exploited vulnerabilities in recent years were initially zero-days
• Edge devices (firewalls, VPNs, gateways) are consistently among the most targeted systems
• The time between disclosure and mass exploitation has dropped significantly, in some cases to hours or days

We’ve seen this before with:

• VPN vulnerabilities during remote work surges
• Firewall exploits being used for initial access
• Edge devices becoming entry points into wider environments

Different vendor, same playbook.

The timing problem

One of the more uncomfortable realities with zero-days is timing.

By the time something is publicly disclosed:

• attackers may have already been using it
• some organisations may already be compromised
• defenders are just starting to react

Then the clock starts.

Security teams need to:

• identify where the affected systems are
• understand exposure
• test and apply patches
• check for signs of compromise

That sounds straightforward, but in practice it’s rarely quick. In larger environments, patching edge devices isn’t instant. There are dependencies, change windows, and the risk of breaking connectivity if something goes wrong.

So even when guidance is clear (patch immediately) there’s usually a gap and that is where most of the risk sits.

Why edge devices keep coming up

There’s a reason these stories keep repeating.

Edge devices are:

• internet-facing by design
• often central to network access
• sometimes less monitored than internal systems

In many cases, they’re deployed, configured, and then left relatively untouched unless something breaks.

Which means when a vulnerability appears, organisations sometimes have to rediscover what they have, how it’s configured, and how exposed it is.

That’s not ideal when time matters.

The real risk isn’t just patching

One thing that often gets missed in these situations is that patching is only part of the response.

If exploitation has already happened, the question isn’t just “Are we vulnerable?”, it’s “Were we already accessed?”.

That means looking for:

• unusual authentication activity
• configuration changes
• new accounts or access paths
• signs of persistence

Because once an attacker gets through an edge device, they don’t tend to stop there.

The bigger picture

This isn’t really about Fortinet specifically. It’s about a pattern we see over and over again in cyber:

• widely deployed technology
• exposed to the internet
• critical vulnerability
• rapid exploitation
• race to respond

And each time, the same challenges come up:

• visibility
• speed
• and the gap between the two

The reality

Zero-days get attention because they sound rare and unpredictable, but the reality is a bit more grounded.

They’re part of a wider environment where:

• attackers are constantly scanning for exposed systems
• exploitation happens quickly once something is viable
• and defenders are working within real-world constraints

This week’s Fortinet issue is a reminder that the most important systems are often the most exposed. That response time matters as much as prevention. And that by the time something becomes public, it may already be in play.