Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Fortinet Confirms New Zero-Day Exploitation 

Fortinet patches critical vulnerabilities, including a zero-day that has been exploited in the wild since at least November 2024. 

Fortinet vulnerability exploited

Fortinet on Tuesday published over a dozen new advisories describing critical- and high-severity vulnerabilities found recently in the company’s products, including a zero-day flaw that has been exploited in the wild since at least November 2024. 

The zero-day is tracked as CVE-2024-55591 and it has been described by Fortinet as a critical vulnerability affecting FortiOS and FortiProxy that can be exploited by a remote attacker to gain super-admin privileges using specially crafted requests to the Node.js websocket module.

According to Fortinet, CVE-2024-55591 affects FortiOS 7.0.0 through 7.0.16, FortiProxy 7.2.0 through 7.2.12, and FortiProxy 7.0.0 through 7.0.19. Patches are included in FortiOS 7.0.17, FortiProxy 7.2.13 and FortiProxy 7.0.20. 

Fortinet has confirmed in-the-wild exploitation and its advisory includes indicators of compromise (IoCs) to help defenders detect attacks. 

News of a potential zero-day broke last week when cybersecurity firm Arctic Wolf warned that it had observed a campaign targeting Fortinet FortiGate firewalls that had their management interface exposed on the internet.

“The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes,” Arctic Wolf said, adding, “While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable.”

While Fortinet’s advisory does not mention Arctic Wolf, IoCs shared by both companies indicate that CVE-2024-55591 is the zero-day seen by Arctic Wolf in attacks. Arctic Wolf notified Fortinet about the attacks in mid-December, when the latter said it had been aware and investigating the activity. 

Arctic Wolf tracked the campaign in November and December 2024, first seeing vulnerability scanning, followed by reconnaissance, establishing SSL VPN access, and lateral movement on compromised systems. 

Advertisement. Scroll to continue reading.

Arctic Wolf reported seeing opportunistic exploitation against a handful of organizations, but the attackers’ objectives remain unknown. 

Another critical vulnerability addressed by Fortinet on Tuesday is CVE-2023-37936, a hardcoded cryptographic key issue in FortiSwitch that could allow a remote, unauthenticated attacker to execute code using malicious cryptographic requests.

Thirteen advisories published on January 14 address high-severity vulnerabilities affecting products such as FortiManager, FortiAnalyzer, FortiClient, FortiOS, FortiRecorder, FortiProxy, FortiSASE, FortiVoice, FortiWeb, and FortiSwitch. 

The security holes can be exploited for account persistence after deletion, arbitrary file writing, authenticated code and command execution, brute force attacks, extracting configuration data without authentication, and causing a DoS condition.

Fortinet has not flagged any of these vulnerabilities as being exploited, but pointed out that one of them was disclosed by WatchTowr

It’s not uncommon for threat actors to target Fortinet product vulnerabilities in their attacks so it’s important that organizations do not neglect the patching or mitigation of the latest round of security holes. 

Related: Organizations Warned of Exploited Fortinet FortiOS Vulnerability

Related: Possibly Exploited Fortinet Flaw Impacts Many Systems, but No Signs of Mass Attacks

Related: Chinese Hackers Exploited Fortinet VPN Vulnerability as Zero-Day

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.