Security researchers say malicious hackers exploited a recently discovered vulnerability in Fortinet firewalls to penetrate corporate networks.
In an advisory published Tuesday, security products maker Fortinet confirmed that a critical vulnerability in its FortiGate firewalls, tracked as CVE-2024-55591, is being “exploited in the wild.”
Fortinet has made the patches available, but security researchers have warned that hackers have been exploiting the vulnerability en masse as of zero-day — that is, before Fortinet was aware of the vulnerability and made the fixes available — since December.
This is the latest example of hackers exploiting a vulnerability in a popular enterprise security product designed to protect corporate networks from intruders. News of the Fortinet bug comes days after it was revealed that attackers are exploiting a separate zero-day flaw in Ivanti VPN servers that allows access to customer networks.
Cybersecurity firm Arctic Wolf said in a blog post last week that its researchers observed a recent “mass exploitation” campaign that targeted Fortinet FortiGate firewall devices with management interfaces exposed to the public internet.
Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf, confirmed to TechCrunch that this observed exploitation is linked to the recently confirmed CVE-2024-55591 vulnerability in Fortinet firewalls.
Hostetler told TechCrunch that Arctic Wolf has “observed a cluster of dozens of intrusions affecting Fortinet devices,” but notes that this represents only a “limited sample compared to the actual total number of devices that were likely affected.”
“The evidence points to an effort to exploit a large number of devices in a narrow time frame,” Hostetler added.
When contacted by TechCrunch, Fortinet spokeswoman Tiffany Curci declined to say how many Fortinet customers were compromised as a result of this hacking campaign, but said the company was “proactively communicating with customers.”
It’s also unclear who is behind the attacks on Fortinet firewalls, but cybersecurity researcher Kevin Beaumont writes in Mastodon that the vulnerability is “exploited by a ransomware operator.”
Hostetler said that ransomware attacks exploiting the bug are “not out of the question,” noting that in previous research, Arctic Fox “observed affiliates of ransomware groups like Akira and Fog using some of the same network providers to establish VPN connectivity “.
In a brief statement on Tuesday, the US cybersecurity CISA urged Fortinet customers to update all affected devices.
In September, Fortinet disclosed a breach involving customer data after an attacker accessed “a small number of files” stored on a third-party shared cloud drive belonging to the organization.
