Who leaves their FW admin interface open to exploit?
Fortigate from the start has options to lock down the "admin IP addresses" that can access any admin protocol (ie. SNMP, GUI, SSH), just like any FW vendor..
At a minimum, lock it to your inside addresses, although would be better to restrict it just the internal IPs your network admins use.
Thats been SOP from the start for us using Fortigate. Still, something else can be used to springboard off to the device, but if your restricted IP range of who can even touch the box is a tiny footprint, the chance of exploit is greately reduced.
Also, to the Reg, FortiSwitchManager is a smashup of two different products.
There is a PSIRT for FortiSwitch when they are in a security fabric with FortiGate.
And there is a separate PSIRT for FortiManager for certain versions. They generalliy aren't mentioned together in the same breath.