Fortinet Firewall Bug Exploited: Company Networks at Risk

Fortinet Firewalls Under Attack: Critical Vulnerability Exploited

Security researchers have identified active exploitation of a recently discovered flaw within Fortinet firewalls. This vulnerability is being leveraged by malicious actors to gain unauthorized access to corporate and enterprise networks.

Vulnerability Details: CVE-2024-55591

Fortinet officially acknowledged the critical vulnerability, designated as CVE-2024-55591, in a security advisory released on Tuesday. The company confirmed that this flaw is currently “being exploited in the wild.”

While Fortinet has issued necessary patches, experts caution that exploitation has been occurring since December. This represents a zero-day vulnerability, meaning it was actively exploited before a fix was available.

Broader Trend of Enterprise Security Exploitation

This incident highlights a concerning pattern: attackers are increasingly targeting vulnerabilities in widely-used enterprise security products. The news regarding the Fortinet bug emerges shortly after reports of a separate zero-day flaw being exploited in Ivanti VPN servers, granting attackers network access.

Arctic Wolf Observes Mass Exploitation

Arctic Wolf, a cybersecurity firm, reported observing a widespread exploitation campaign targeting Fortinet FortiGate firewall devices. These devices had their management interfaces publicly accessible on the internet.

Stefan Hostetler, Lead Threat Intelligence Researcher at Arctic Wolf, verified to TechCrunch that the observed exploitation is directly linked to the confirmed CVE-2024-55591 vulnerability.

Scope of the Intrusions

Hostetler indicated that Arctic Wolf detected intrusions affecting “tens” of Fortinet devices. However, he emphasized that this represents only a small fraction of the total number of potentially compromised systems.

The evidence suggests a coordinated effort to exploit a significant number of devices within a concentrated timeframe.

Fortinet's Response and Impact

Fortinet spokesperson Tiffany Curci declined to disclose the number of affected customers when contacted by TechCrunch. However, she stated that the company is “proactively communicating with customers.”

Potential Ransomware Connection

The identity of the attackers remains unclear. Cybersecurity researcher Kevin Beaumont suggests on Mastodon that a ransomware operator is actively exploiting the vulnerability.

Hostetler acknowledged the possibility of ransomware attacks leveraging the flaw. He noted that previous research by Arctic Wolf identified affiliates of ransomware groups like Akira and Fog utilizing similar network providers for VPN connections.

CISA Urges Immediate Updates

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a statement on Tuesday, urging all Fortinet customers to update any vulnerable devices without delay.

Previous Fortinet Security Incident

In September, Fortinet disclosed a data breach resulting from an attacker gaining access to a limited number of files stored on a third-party cloud drive.