Fortinet confirms exploitation of ‘critical’ vulnerability in FortiOS, FortiProxy

Patches are available for affected versions

Fortinet has confirmed that a critical-severity vulnerability affecting FortiOS and FortiProxy has seen exploitation in attacks, following a warning about the flaw from researchers at cybersecurity vendor Arctic Wolf.

In a post on Friday, the Arctic Wolf researchers had pointed to a high likelihood of upcoming widespread exploitation for the authentication bypass vulnerability, which affects FortiGate firewalls.

“Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organisations as well as firmware versions affected,” the researchers wrote in the post.

While Arctic Wolf did not disclose the identifier for the vulnerability, the researchers did share IP addresses associated with the threat actor that match those disclosed by Fortinet in its advisory on Tuesday.

"Please note that reports show this is being exploited in the wild,” Fortinet said in the advisory.

The vulnerability (tracked at CVE-2024-55591) affects versions 7.0.0 to 7.0.16 of FortiOS. The flaw also impacts FortiProxy versions 7.0.0 to 7.0.19 as well as versions 7.2.0 to 7.2.12. Patches are available for the affected versions.

The Arctic Wolf researchers said they “began observing a campaign involving suspicious activity on Fortinet FortiGate firewall devices” in early December.

In a statement provided to CRN on Tuesday, Fortinet said it has been “proactively communicating with customers to provide guidance” regarding the vulnerability, including with “solutions and workarounds to help them mitigate their risk.”

“There are instances where confidential advance customer communications can include early guidance regarding an advisory to enable customers to further strengthen their security posture in advance of a scheduled public advisory,” the company said.

Fortinet recommends that customers “follow the guidance outlined in the advisory, exercise timely patching practices and continue monitoring their networks for unusual activity to help mitigate cyber risk,” according to its statement.

The vulnerability “may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module,” the company said in its advisory.

The flaw has been awarded a “critical” severity score of 9.6 out of 10.0

In recent years, threat actors have had a major focus on targeting network security devices such as firewalls and VPNs for exploitation, whose position as the front door to the IT environment makes them a prized target.

Such devices are appealing targets because they must be connected to the internet, Elisa Costante, Forescout’s vice president of research told CRN. And for a hacker, “once I am within a firewall or within a router, or within a VPN system, I’m in a very good place to start [an attack],” Costante added.

This article first appeared on Computing’s sister site CRN