BY CARLOS CANEDO

Operations Manager at Avertium


This month, Adobe pushed an emergency patch for CVE-2026-34621, a zero-day in Acrobat Reader that had been quietly exploited in the wild since at least November 2025. CVSS 8.6. Arbitrary code execution. Active exploitation confirmed by CISA, which added it to its Known Exploited Vulnerabilities catalog and gave federal agencies just two weeks to patch. The attack vector: a malicious PDF. The kind of file that lands in every inbox, every day.

The security community reacted swiftly. Advisories went out. Patches were published. Defenders mobilized.

And somewhere in the back of every experienced practitioner’s mind, a familiar thought: of course.

That reaction, that quiet, weary unsurprise, is worth examining. Not because it is wrong, but because it signals something deeply concerning about where enterprise security culture has arrived.

 

the "expected vulnerability" problem

If you have worked in cybersecurity for more than a few years, you have probably developed a mental list of vendors whose security advisories you follow with a kind of resigned regularity. Fortinet is near the top of that list for most practitioners.

Since 2024, Fortinet has delivered a near-continuous stream of critical disclosures:

  • CVE-2024-55591 (CVSS 9.6): authentication bypass granting unauthenticated super-admin privileges on FortiOS via the Node.js websocket module: already being weaponized as a zero-day at the time of disclosure.

  • CVE-2025-24472: a paired authentication bypass exploited alongside CVE-2024-55591 by a new ransomware actor (Mora_001) deploying a variant called “SuperBlack.”

  • CVE-2025-25256 (CVSS 9.8): OS command injection in FortiSIEM allowing remote unauthenticated code execution.

  • CVE-2025-59718 / CVE-2025-59719: critical authentication bypass via crafted SAML messages, yielding administrative access to FortiGate devices. Active exploitation confirmed in January 2026.
  • CVE-2026-24858: critical unauthenticated vulnerability allowing authentication bypass via Fortinet’s cloud SSO, confirmed as a zero-day in January 2026.

The list is not short, and it is not slowing down. This is not a story unique to Fortinet or Adobe. Cisco, Ivanti, Palo Alto, and others have their own recurring chapters in this narrative. The pattern is consistent enough that it has effectively become background noise,  a normal operational rhythm for security teams.

That normalization is the real vulnerability.

 

what normalization actually costs

When critical vulnerabilities in foundational enterprise tools become expected, several things happen, none of them good.

Alert fatigue at the leadership level

CISOs and directors who have seen dozens of “critical” advisories begin to process them as routine operational overhead rather than strategic risk events. The emotional and cognitive weight of a CVSS 9.6 authentication bypass in your perimeter firewall should be significant. When it feels like the third one this quarter, it is not.

Patch velocity slows

Research consistently shows that organizational response time to critical patches increases as the frequency of critical advisories increases. Teams that should be mobilizing within 24–72 hours are instead triaging against competing priorities and waiting for change control approvals, while exploitation windows remain open.

Trust assumptions get dangerously stale

Many organizations deployed Fortinet, Adobe Acrobat, and similar enterprise tools because they trusted them. The implicit security posture of the organization was built on top of that trust. When those tools become habitual sources of critical exposure, the underlying trust assumptions need to be revisited, but they rarely are, because the tools are deeply embedded and the cost of replacing them is high.

The attacker timeline is moving in the opposite direction

While defenders normalize and slow down, threat actors are accelerating. CVE-2026-34621 was being actively exploited four to five months before a patch existed. CVE-2025-59718 and CVE-2025-59719 in Fortinet were being exploited in the wild before most organizations had even processed the disclosure. The window between vulnerability publication and weaponization has collapsed to hours in some cases.

These two trajectories - defenders slowing down, attackers accelerating - are moving toward each other. The intersection point is a breach.

 

the trust architecture problem

Enterprise security architecture is fundamentally built on trust, trust in the tools that are supposed to protect you. Firewalls, VPNs, endpoint protection platforms, document readers: these are not neutral components. They sit at the boundary between your environment and the outside world, between your data and the internet, between your users and the threats targeting them.

When those tools become recurring sources of critical, pre-authenticated, remotely exploitable vulnerabilities, the architecture has a structural problem that patching alone cannot solve.

A Fortinet FortiGate compromised via an authentication bypass does not just lose its protective function , it becomes a trusted internal node with visibility into your network that an attacker can now leverage. An Adobe Reader exploitation chain that has been silently active for five months means that employees opening PDFs — the most routine task in any organization — were potentially being fingerprinted and compromised without any visible indicator.

The tools designed to reduce your attack surface were expanding it.

This is not a reason to abandon these platforms. Enterprise security tooling decisions involve real constraints: budget, integration complexity, licensing, operational familiarity, and vendor relationships. But it is a reason to stop treating “we use enterprise-grade security tools” as equivalent to “we have managed our risk.”

 

what the board should be asking

For CISOs and security directors navigating conversations at the executive and board level, the normalization of vendor vulnerability cycles creates a specific communication challenge. Here are four reframes worth building into board-level conversations:

1. Shift from “are we patched?” to “what is our exposure window?”

Patching is a lagging indicator. The question that matters is how long your organization was exposed before the patch was applied, and whether there is evidence that the window was exploited. For CVE-2026-34621, the exposure window for unpatched organizations potentially extended back to November 2025.

2. Treat recurring vendor vulnerabilities as a risk concentration signal

If a single vendor’s product line is responsible for multiple critical advisories over 12–18 months, that is a meaningful concentration of architectural risk. It may not require immediate replacement, but it does require compensating controls: enhanced monitoring, reduced exposure surface, segmentation, and explicit incident response planning for that vendor’s products.

3. Distinguish between “we patched it” and “we were not compromised”

These are not the same statement. Active exploitation preceding disclosure means that patching after the fact does not close the question of whether your organization was affected during the exposure window. Forensic validation — checking for IoCs, reviewing logs for behavioral indicators associated with a given CVE — is the only way to answer that question.

4. Question the implicit trust architecture

If your perimeter security depends on a vendor that issues critical authentication bypass vulnerabilities on a recurring basis, your security posture needs compensating architecture, not just faster patching. Zero Trust principles, network segmentation, and the assumption that any tool can be compromised are not just theoretical best practices at this point. They are operational necessities.

 

the comfort of routine is risk

The most dangerous outcome of vendor vulnerability normalization is not that organizations stop patching. Most do patch, eventually. The most dangerous outcome is that organizations stop questioning — stop asking whether the foundational tools they depend on are deserving of the trust they have been granted, whether their architecture assumes too much, whether “we are on top of it” has quietly become synonymous with “we have accepted this as the cost of doing business.”

There is a middle ground worth pursuing: a posture of structured skepticism. One that says — we will continue to use these tools, and we will patch aggressively, and we will also monitor for the indicators that patching alone cannot address, and we will build our architecture around the assumption that the tools we trust will sometimes fail us in ways we did not anticipate.

When the next Fortinet advisory drops - and it will - the right reaction is not weary acceptance, and it's not panic. It is a practices, rigorous response grounded in the understanding the "expected" is not the same as "acceptable."

 

about avertium 

Avertium is an AI security and compliance leader, delivering comprehensive solutions to mid-market and enterprise customers. Our unique “Assess, Design, Protect” approach addresses and improves security strategy, reduces attack surface risk, strengthens compliance, and provides continuous threat protection. Avertium maximizes customer security investments and enables customers to focus on growth, innovation, and business outcomes, while assuring that their security infrastructure is resilient and adaptive to evolving threats. That’s why customers trust Avertium to deliver better security, improved compliance, and greater ROI.

Avertium CFC

The Avertium Cyber Fusion Center (CFC) helps organizations build detection and response capabilities designed for the realities of today’s threat landscape, including the assumption that trusted enterprise tools will be targeted. To learn more about how we approach managed security in multi-vendor environments, reach out to our team.

 

 

 

 

You might also enjoy...

 
Vulnerability Adobe Fortinet Vulnerability Critical Vulnerability Thought Leadership Enterprise Vulnerabilities Blog