Fortinet's product documentation describes FortiGate as "the most deployed network firewall in the world"; the credential dump circulating this week under the name FortiBleed contains admin-level credentials for 73,000 of those firewalls' management consoles. That is the perimeter. Credential extraction at this scale traces to one of three prior Fortinet CVEs: CVE-2022-40684 (authentication bypass, CVSS 9.8), CVE-2023-27997 (heap overflow, CVSS 9.8), or CVE-2024-21762 (out-of-bounds write, CVSS 9.6), all of which Fortinet patched, and all of which saw active exploitation in APAC financial-sector infrastructure before the patches landed. The question for institutions running FortiGate under MAS TRM 2021 is not whether the device has been patched; it is whether credential rotation followed the patch, because patching an authentication bypass does not invalidate credentials extracted during the exploitation window before the patch.
The same week, Microsoft disclosed an unpatched zero-day in Microsoft Defender, the binary most widely deployed as a detection layer across Windows infrastructure in APAC financial institutions. No patch is available. The attack chain requires no elevated privileges on initial access, which means a phishing payload delivered to a mailbox Defender is supposed to filter is sufficient to trigger the condition. The two vulnerabilities share no supply-chain origin. They describe the same institutional week: the perimeter control and the detection control both have active unpatched holes, both running on vendor patch timelines uncorrelated with the exploitation cadence their customers face. For institutions that saw CVE-2024-21762 active exploitation in the January-to-March 2024 window and have not since rotated management-plane credentials, the exposure has been running for over two years.