Hackers are exploiting a new Fortinet firewall bug to breach company networks

Security researchers say malicious hackers have exploited a recently discovered vulnerability in Fortinet firewalls to penetrate corporate and enterprise networks.

In one notice issued Tuesdaysecurity products manufacturer Fortinet has confirmed that a critical critical vulnerability in its FortiGate firewalls, tracked as CVE-2024-55591, is “exploitable in nature”.

Fortinet has made patches available, but security researchers have warned that hackers have been mass exploiting the vulnerability as a zero-day — that is, before Fortinet was aware of the vulnerability and made fixes available — since December.

This is the latest example of hackers exploiting a vulnerability in a popular enterprise security product designed to protect corporate networks from intruders. The news of the Fortinet bug comes days after it was revealed that attackers are exploiting a separate zero-day flaw in Ivanti VPN servers which allows access to customer networks.

The cyber security company Arctic Wolf said in a blog post last week that its researchers observed a recent “mass exploitation” campaign affecting Fortinet FortiGate firewall devices with management interfaces exposed to the public internet.

Stefan Hostetler, principal threat intelligence researcher at Arctic Wolf, confirmed to TechCrunch that this observed exploit is related to the recently confirmed CVE-2024-55591 vulnerability in Fortinet firewalls.

Hostetler told TechCrunch that Arctic Wolf had “observed a cluster of intrusions affecting dozens of Fortinet devices,” but notes that this only represents a “limited sample compared to the actual total number of devices that were likely affected.”

“The evidence points to an effort to exploit a large number of devices in a tight time frame,” added Hostetler.

When reached by TechCrunch, Fortinet spokesperson Tiffany Curci declined to say how many Fortinet customers were compromised as a result of this hacking campaign, but said the company was “proactively communicating with customers.”

It is not yet clear who is behind the attacks on Fortinet firewalls, but cyber security researcher Kevin Beaumont write about Mastodon that the vulnerability is “being exploited by a ransomware operator”.

Hostetler said ransomware attacks exploiting the bug “are not off the table,” noting that in previous research, Arctic Fox “observed affiliates of ransomware groups like Akira and Fog using some of the same network providers to establish VPN connectivity”.

In a short statement On Tuesday, US cybersecurity agency CISA urged Fortinet customers to update any affected devices.

In September, Fortinet has disclosed a breach involving customer data after an attacker accessed “a limited number of files” stored on a third-party shared cloud drive belonging to the organization.