The SMB Firewall Patching Reality Check
Where is your asset register ? How is this linked to security bulletins ? If you don’t know, then your exposing yourself to unknown threats
Firewalls are the “front door” of a business network. For Australian small and medium‑sized businesses (SMBs), they are frequently the single most critical security control protecting your email systems, staff, remote access, cloud connectivity and sensitive customer data.
Over the past 12 – 18 months, a consistent pattern has emerged: critical vulnerabilities in enterprise‑grade firewalls – are being actively exploited in the wild, often faster than SMBs can realistically patch them. Although, this article references Watchguard and Fortinet, most routers and firewall brands have been exploited over the past two years, including Netcom, Draytek and D-Link.
This article looks beyond the headlines to examine the real world patching challenges SMBs face, why these vulnerabilities are so attractive to attackers, and what Australian organisations can realistically do to reduce risk.
Why Firewall Vulnerabilities Matter More Than “Normal” Software Bugs
Unlike workstations and SMB servers, firewalls:
- Are internet facing by design they are the frontier
- Often authenticate users and VPN connections bringing the outside in
- Sit at a point of high trust and high privilege they are the front door, keep them locked
When a firewall is compromised, attackers may gain:
- Remote code execution (RCE)
- Persistent, stealthy access
- A platform for lateral movement into internal systems
Security agencies consistently warn that edge devices are now a primary initial access vector, especially for ransomware and financially motivated threat actors.
WatchGuard: Repeated Critical Firebox Vulnerabilities
WatchGuard Firebox appliances – widely deployed to Australian SMBs – have been affected by multiple critical vulnerabilities. With many of these devices being actively exploited before organisations got around to patching, knew they needed patching or realising they even owned one.
What we’ve seen
- Critical out of bounds write vulnerabilities in Fireware OS
- Exploitation occurring pre authentication
- VPN vulnerabilities where devices remained vulnerable even after configurations were removed
- Large numbers of exposed devices identified globally by internet scanning projects
Australian organisations were specifically warned by the Australian Signals Directorate (ASD) and ACSC about active exploitation of WatchGuard Firebox vulnerabilities, urging immediate patching.
The SMB router reality
In practice many Australian SMBs:
- Run firewalls that are years old but still operational
- Rely on after hours maintenance windows that are rarely organised and even rarer to happen
- Are unaware that historical VPN configurations or legacy user profiles can leave systems exposed for year, even after changes
This creates a dangerous gap between “patched” on paper and secured in reality.
Fortinet: Patch Bypasses, Authentication Flaws and Ongoing Exploitations
Fortinet’s FortiGate and FortiOS platforms dominate our SMB and mid market business space in Australia. They are powerful and feature full, but complexity comes at a cost.
Recent Fortinet issues include:
- Authentication bypass vulnerabilities
- FortiCloud SSO flaws enabling unauthenticated access
- Cases where patched devices were still compromised due to bypass techniques
- Vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue
Security researchers and administrators have reported real world compromises of fully patched FortiGate firewalls, highlighting how attackers adapt faster than patch cycles.
The ASD’s ACSC has issued multiple critical alerts covering Fortinet products, explicitly targeting SMBs and managed service providers.
The SMB Firewall Patching Gap: Why It Keeps Happening
Despite clear advisories, exploitation continues. The reasons are rarely negligence—they’re structural.
1. Patching a firewall is not “just an update”
Firewall upgrades can and will:
- Interrupt access to the Internet
- Interrupt VPN access to remote users or work from home users
- Break legacy integrations with other devices and software
- Require firmware compatibility checks and even on bench testing
- Demand rollback plans, redesign and re execution
For SMBs with limited IT staff, this is often postponed “until next month.”
2. Exposure is not always obvious
Many hardware device vulnerabilities:
- Only apply if a feature was ever enabled
- Persist after configuration changes
- Are triggered by edge case conditions
This leads to false confidence: “We don’t use that feature anymore.”
3. Attackers weaponise faster than SMBs can respond
Once a vulnerability is disclosed:
- Exploitation often follows within days
- Mass scanning worldwide of the exploited devices begins immediately
- Opportunistic attacks target unpatched SMBs at scale
AusCI and the Australian security agencies have repeatedly highlighted this compressed window.
What a Realistic SMB Firewall Strategy Looks Like
Perfect security is not realistic – but resilient security is achievable.
At AusCI, we see effective SMBs focus on:
Patch prioritisation, not patch perfection
Critical, internet‑facing vulnerabilities should be treated as emergency changes, not routine maintenance.
Configuration audits after patching
Confirming that:
- All vulnerable features are disabled or replaced
- Legacy VPN protocols and user accounts are removed
- Management interfaces are heavily restricted
Monitoring for post exploitation indicators
Especially after delayed patching, organisations should assume breach and verify.
Governance and accountability
Clear management ownership of:
- Security advisories and documentation
- Patch decisions access and approvals
- Risk acceptance and mitigation
This aligns strongly with Essential Eight maturity expectations, particularly around vulnerability management and administrative controls.
The Bottom Line for Australian SMBs
In no way are WatchGuard and Fortinet “bad” products, every device in the world needs patches and regularly. These devices are high value targets because they protect high value networks.
The real issue is this:
SMB firewall security fails when patching reality does not match threat reality.
Australian SMBs should assume:
- Firewall vulnerabilities will continue and be exploited where ever they can.
- Exploitation will be fast so patching must be faster
- Delays in patching increase risk exponentially
The organisations that fare best are not those with the newest hardware – but those with disciplined patching, clear governance and realistic risk management.
How Australian Cyber Security Institution Helps
The Australian Cyber Security Institution (AusCI) assists SMBs with:
- Firewall vulnerability assessments
- Firewall and all other devices and software patch management
- Patch readiness, patch testing and risk review management
- Post incident firewall validation
- Essential Eight aligned security model uplift
Security is not about eliminating risk—it’s about staying ahead of it.
