FortiGate Firewalls Face Zero-Day Vulnerability Attacks

Fortinet FortiGate firewall devices are under attack due to a zero-day vulnerability. Hackers are exploiting exposed management interfaces on public networks, gaining unauthorized access, and compromising firewall configurations. Organizations must act quickly to secure their systems and prevent further damage.

Hackers are targeting FortiGate firewall devices with publicly accessible management interfaces.

A zero-day vulnerability is being exploited to gain unauthorized administrative access, modify configurations, and extract sensitive credentials.

Devices running firmware versions 7.0.14 to 7.0.16 (released between February and October 2024) are affected.

The attack involves a multi-phase approach observed between November and December 2024, which includes:

  • Scanning vulnerable devices.
  • Modifying configurations to test admin privileges.
  • Creating or hijacking admin accounts to configure SSL VPN access.
  • Extracting sensitive account information using domain replication.

Hackers used spoofed IP addresses, such as 127.0.0.1 and 8.8.8.8, to hide malicious activities.

Recommendations for Protection:

  • Disable public management interface access immediately.
  • Regularly update firmware to the latest stable version.
  • Monitor for unusual behaviors like short-lived admin logins or suspicious IP usage.
  • Enable multifactor authentication (MFA) for admin access.
  • Conduct thorough threat hunting to detect suspicious activities.

Fortinet's Response: Fortinet is investigating the issue after being informed by Arctic Wolf, which observed the campaign.

The attack on FortiGate firewalls emphasizes the need for securing management interfaces and following best cybersecurity practices. Immediate action to disable public access, update firmware, and monitor for anomalies is critical to prevent further exploitation. Staying vigilant and proactive is essential to counter such evolving threats.