Security researchers say malicious hackers are exploiting a recently discovered vulnerability in Fortinet’s firewalls to infiltrate enterprise and corporate networks.
In one advisory issued on Tuesdaysecurity product maker Fortinet has confirmed that a critical-rated vulnerability in its FortiGate firewalls, tracked as CVE-2024-55591, is “exploitable in the wild.”
Fortinet made patches available, but security researchers have warned that hackers have been mass exploiting the vulnerability as a zero-day — that is, before Fortinet became aware of the vulnerability and made fixes available — since December.
This is the latest example of hackers exploiting a vulnerability in a popular enterprise security product designed to protect corporate networks from intruders. News of the Fortinet bug comes days after it was revealed that attackers were exploiting a separate zero-day flaw in Ivanti VPN servers that allowed access to customers’ networks.
Cybersecurity firm Arctic Wolf told a blog post Last week its researchers noticed a recent “mass exploit” campaign affecting Fortinet FortiGate firewall devices with management interfaces exposed to the public Internet.
Stefan Hostetler, chief threat intelligence researcher at Arctic Wolf, confirmed to TechCrunch that this observed exploit is linked to the recently confirmed CVE-2024-55591 vulnerability in Fortinet firewalls.
Hostetler told TechCrunch that Arctic Wolf had “observed a cluster of attacks affecting Fortinet devices in the dozens,” but notes that this represents only a “limited sample compared to the total actual number of devices likely affected.”
“The evidence shows an attempt to exploit a large number of devices within a narrow time frame,” added Hostetler.
When reached by TechCrunch, Fortinet spokeswoman Tiffany Curci declined to say how many Fortinet customers were compromised as a result of this hacking campaign, but said the company was “proactively communicating with customers.”
It’s also unclear who is behind the attacks on Fortinet’s firewalls, but cybersecurity researcher Kevin Beaumont writes in Mastodon that the vulnerability is “being exploited by a ransomware operator.”
Hostetler said ransomware attacks exploiting the bug are “not off the table,” noting that in previous research, Arctic Fox “observed affiliate ransomware groups like Akira and Fog using some of the same network providers to establish connectivity VPN”.
In a short statement On Tuesday, US cybersecurity agency CISA urged Fortinet customers to update any affected devices.
In September, Fortinet disclosed a breach involving customer data after an attacker accessed a “limited number of files” stored on a third-party cloud drive owned by the organization.
