The confirmation comes after Arctic Wolf researchers said that ‘mass exploitation’ of the vulnerability—which impacts FortiGate firewalls—is ‘likely.’
Fortinet confirmed Tuesday that a critical-severity vulnerability impacting FortiOS and FortiProxy has seen exploitation in attacks, following a warning about the flaw from researchers at cybersecurity vendor Arctic Wolf.
In a post Friday, the Arctic Wolf researchers had pointed to a high likelihood of upcoming widespread exploitation for the authentication bypass vulnerability, which impacts FortiGate firewalls.
[Related: 10 Major Ransomware Attacks And Data Breaches In 2024]
“Arctic Wolf Labs assesses with high confidence that mass exploitation of a zero-day vulnerability is likely given the compressed timeline across affected organizations as well as firmware versions affected,” the researchers wrote in the post.
While Arctic Wolf did not disclose the identifier for the vulnerability, the researchers did share IP addresses associated with the threat actor that match those disclosed by Fortinet in its advisory Tuesday.
“Please note that reports show this is being exploited in the wild,” Fortinet said in the advisory.
The vulnerability (tracked at CVE-2024-55591) affects versions 7.0.0 through 7.0.16 of FortiOS. The flaw also impacts FortiProxy versions 7.0.0 through 7.0.19 as well as versions 7.2.0 through 7.2.12. Patches are available for the affected versions.
The Arctic Wolf researchers said they “began observing a campaign involving suspicious activity on Fortinet FortiGate firewall devices” in early December.
In a statement provided to CRN Tuesday, Fortinet said it has been “proactively communicating with customers to provide guidance” regarding the vulnerability, including with “solutions and workarounds to help them mitigate their risk.”
“There are instances where confidential advance customer communications can include early guidance regarding an advisory to enable customers to further strengthen their security posture in advance of a scheduled public advisory,” the company said.
Fortinet recommends that customers “follow the guidance outlined in the advisory, exercise timely patching practices and continue monitoring their networks for unusual activity to help mitigate cyber risk,” the company said in its statement.
The vulnerability “may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module,” the company said in its advisory Tuesday.
The flaw has been awarded a “critical” severity score of 9.6 out of 10.0
In recent years, threat actors have had a major focus on targeting network security devices such as firewalls and VPNs for exploitation, whose position as the front door to the IT environment makes them a prized target.
Such devices are appealing targets because they must be connected to the internet, Elisa Costante, Forescout’s vice president of research, told CRN previously. And for a hacker, “once I am within a firewall or within a router, or within a VPN system, I’m in a very good place to start [an attack],” Costante said.
