Menu

Fortinet Firewalls – Potential Zero-Day Vulnerability

A new cyber campaign has been discovered, targeting Fortinet FortiGate firewall devices with exposed management interfaces. The attackers are believed to have exploited a potential zero-day vulnerability to gain unauthorized access to these devices.

Key points about the campaign:

Exploitation of Exposed Interfaces:

  • The attackers focused on firewalls with publicly exposed management interfaces, performing unauthorized administrative logins.
  • They modified configurations, created new user accounts, and used SSL VPN authentication to access the devices.

Unknown Initial Access Vector:

  • The exact method of initial access is currently unclear, but experts believe it was driven by a zero-day vulnerability due to the rapid timeline and affected firmware versions.
  • The affected devices were running firmware versions between 7.0.14 and 7.0.16, released in February and October 2024.

Attack Progression:

  • The campaign began in mid-November 2024 and unfolded in four distinct phases:
    1. Reconnaissance and Scanning: Attackers conducted vulnerability scanning and reconnaissance.
    2. Configuration Changes: Attackers made changes to the firewall configuration, including creating super admin accounts in December.
    3. Creation of New Accounts: Several new user accounts were created, some added to VPN access groups.
    4. Lateral Movement: Attackers used the SSL VPN access to extract credentials using the DCSync technique, enabling further attacks within networks.

Unusual Behavior Noted:

  • The attackers made use of the jsconsole interface, which is not typically seen in legitimate firewall activities. The IP addresses used in these attacks were traced to specific VPS hosting providers.
  • The activity showed inconsistencies in tactics, leading experts to suggest that multiple actors or groups may have been involved.

Targeting and Victimology:

  • Victim organizations spanned various sectors and sizes, with no clear targeting pattern, suggesting an opportunistic attack.
  • Automated login and logout events further indicate the attacks were not targeted at specific organizations but instead exploited vulnerabilities in exposed devices.

Security Recommendations:

  • To protect against such attacks, organizations are advised to avoid exposing their firewall management interfaces to the public internet.
  • Access should be restricted to trusted users and networks only to minimize the risk of unauthorized intrusion.
  • Contact sds@cmctelecom.vn if need support

Post Navigation

RANSOMWARE TRENDS REPORT Q3 | 2024

Dark Angels Ransomware Analysis

Related Posts:

Cyber Threat Intelligence – Threat Actor Shinyhunter

Critical Linux Kernel Vulnerability CVE-2024-26808

New vulnerabilities in OpenSSH: CVE-2025-26465 & CVE-2025-26466

Leave a reply:

Your email address will not be published.

Sliding Sidebar

About Me

About Me

Our information security team comes from CMC Telecom. We focus on security research and developing security solutions. We protect CMC Telecom important infrastructure and provide services related to Offensive & Managed Security Service to our customers.

Social Profiles

Recent Posts