Governance & Risk Management,
Network Firewalls, Network Access Control,
Patch Management
Warning Issued for Active Zero-Day Vulnerability as Device Configurations Are Exposed
Fortinet has issued an urgent alert to users of its firewall products, advising them to apply patches for a zero-day vulnerability currently under active exploitation. This incident is compounded by the exposure of configuration data affecting an estimated 15,000 devices, prompting businesses to reassess their security postures.
The vulnerability, identified as CVE-2024-55591, is an authentication bypass flaw in multiple FortiOS and FortiProxy versions. This critical flaw allows attackers to gain super-admin privileges through specially crafted requests to the Node.js websocket module, potentially compromising the integrity of managed devices.
On the same day of the vulnerability’s announcement, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its catalog of known exploited vulnerabilities, citing concrete evidence of active exploitation. CISA has mandated that all federal agencies must either mitigate the vulnerability or discontinue the use of affected systems by January 21. FortiOS versions 7.0.0 to 7.0.16 and FortiProxy versions 7.0.0 to 7.0.19 and 7.2.0 to 7.2.12 are susceptible to this flaw, which has been rated a critical 9.6 on the CVSS scale due to its remote exploitability.
The zero-day vulnerability was first publicly identified on January 10, when security firm Arctic Wolf reported an ongoing attack campaign involving unauthorized logins to firewall management interfaces. Attackers are believed to have exploited this zero-day to navigate laterally through networks since December 2024. In light of these events, Rapid7 has urged immediate software updates and a thorough review of indicators of compromise published by Fortinet.
Consequences of Configuration Data Leak
In addition to this new vulnerability, Fortinet users are advised to scrutinize their systems for signs of exploitation related to another zero-day vulnerability, CVE-2022-40684. Configuration data and passwords for over 15,000 devices have been leaked, potentially affecting a range of organizations. This information was released by an actor using the alias “Belsen Group” on BreachForums.
Security researcher Amram Englander has shared a list of leaked IP addresses to enable organizations to evaluate their exposure. Organizations identified within this dataset are advised to consider this an active incident and undertake security measures, including credential rotation and an assessment of potential compromises.
The leaked information was organized by country and includes critical data such as device configurations, firewall rules, and plaintext passwords. The accuracy of this data has been corroborated by security professionals. Fortinet is currently investigating the origin of this data, which appears to be aggregated from exploits targeting CVE-2022-40684.
Broader Implications for Cybersecurity
While the configurations affected may reflect older vulnerabilities, security analysts caution that many of the devices remain online and unchanged, thus heightening risks. Ongoing exposure to outdated firewall rules could allow attackers to exploit these systems further. The incident serves as a reminder of the persistent vulnerabilities that can stem from unpatched devices and inadequate security oversight.
In summary, the current scenario demonstrates the significant cybersecurity vulnerabilities associated with Fortinet devices, with attackers leveraging zero-day exploits and configuration data leaks. Utilizing the MITRE ATT&CK Framework, tactics such as initial access and privilege escalation appear to have been paramount during these attacks, underscoring the need for vigilant cybersecurity practices.
