Fortinet Warns of Zero-Day Exploit Targeting Firewalls with Exposed Interfaces

Cybersecurity firm Fortinet has sounded the alarm on an active zero-day vulnerability campaign targeting FortiGate firewall devices with exposed management interfaces. These attacks, attributed to unknown threat actors, have disrupted organizations globally and underscored the critical importance of securing exposed infrastructure.

Campaign Details: How the Attacks Unfolded

The malicious activity, which began in mid-November 2024, leverages an as-yet-undetermined initial access vector to compromise firewall management interfaces. Cybersecurity researchers at Arctic Wolf believe the attackers exploited a zero-day vulnerability, given the rapid spread and the firmware versions affected. Devices running firmware versions between 7.0.14 and 7.0.16 were specifically targeted.

The attackers followed a calculated, four-phase strategy:

1. Reconnaissance and Scanning – Identifying vulnerable devices using automated tools and unusual IPs.
2. Configuration Manipulation – Changing output settings to aid in gathering intelligence.
3. Privilege Escalation – Creating super admin accounts and modifying existing user accounts.
4. Exploitation and Credential Harvesting – Establishing SSL VPN tunnels and extracting credentials using the DCSync technique for lateral movement.

The use of the jsconsole interface by attackers and VPN tunnels from virtual private server (VPS) hosting providers were consistent indicators of compromise.

Fortinet Confirms Critical Vulnerability

On January 14, 2025, Fortinet disclosed details of CVE-2024-55591, a critical authentication bypass vulnerability affecting FortiOS and FortiProxy. With a CVSS score of 9.6, this flaw enables attackers to gain super-admin privileges by exploiting the Node.js WebSocket module.

Impacted Versions

• FortiOS: 7.0.0 to 7.0.16 (patched in 7.0.17 and above)
• FortiProxy: 7.0.0 to 7.0.19 and 7.2.0 to 7.2.12 (patched in 7.0.20 and 7.2.13, respectively)

Fortinet advised customers to apply updates immediately and monitor for suspicious activity. Organizations are urged to limit management interface exposure and restrict access to trusted users only.

CISA Action: A Push for Mitigation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-55591 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must address this vulnerability by January 21, 2025.

Mitigation Recommendations

Organizations using Fortinet products should take the following steps to mitigate the risks:

1. Update Firmware – Apply the latest patches for FortiOS and FortiProxy as specified in Fortinet’s advisory.
2. Restrict Management Interface Access – Block public access to management interfaces and use VPNs for remote administration.
3. Monitor Logs – Look for unusual logins or configuration changes indicative of compromise.
4. Enable MFA – Enforce multi-factor authentication for all administrative accounts.

Opportunistic Targeting Highlights Need for Vigilance

The campaign's scope and lack of specific victim profiles suggest opportunistic targeting rather than deliberate selection. Automated login/logout activity and diverse victimology reinforce the need for robust security measures across organizations of all sizes and sectors.

As zero-day attacks become increasingly sophisticated, ensuring timely patching, limiting exposure, and maintaining network vigilance remain critical for defense against evolving threats.