Security researchers have identified a critical flaw in Fortinet firewalls that hackers have been actively exploiting to infiltrate corporate and enterprise networks.
Fortinet confirmed the issue, tracked as CVE-2024-55591, in an advisory released on Tuesday. This vulnerability, rated as critical, has reportedly been exploited as a zero-day vulnerability—meaning hackers leveraged it before Fortinet was even aware or able to issue a fix. The exploitation has been ongoing since December, according to experts.
Fortinet has since released patches to address the flaw, but the damage may already be significant. This development follows closely on the heels of another reported zero-day vulnerability in Ivanti VPN servers, also being used by hackers to gain unauthorized access to networks.
Arctic Wolf, a cybersecurity firm, reported observing a large-scale campaign targeting Fortinet FortiGate firewall devices with publicly exposed management interfaces. Stefan Hostetler, a lead threat intelligence researcher at Arctic Wolf, stated that the exploitation was linked directly to the newly confirmed vulnerability in Fortinet’s firewalls.
Hostetler disclosed that their research observed “tens” of intrusions, though this likely represents only a fraction of the total affected devices. He added, “The evidence indicates a concentrated effort to exploit a large number of devices within a short time frame.”
Fortinet has declined to specify how many customers were impacted but assured that it is actively communicating with affected users. While the identity of the attackers remains unclear, cybersecurity expert Kevin Beaumont suggested on Mastodon that a ransomware operator may be exploiting the flaw.
Hostetler also warned that ransomware campaigns are a plausible outcome of these attacks. Past research from Arctic Wolf has shown ransomware groups like Akira and Fog leveraging similar methods to establish unauthorized VPN connections.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a statement urging Fortinet users to immediately update any vulnerable devices to mitigate potential risks.
This incident comes shortly after Fortinet disclosed another breach in September, in which attackers accessed customer data stored on a third-party shared cloud drive. The ongoing issues underscore the growing risks associated with vulnerabilities in enterprise security tools, which are ironically meant to protect networks from such intrusions.
Organizations relying on Fortinet firewalls should prioritize patching their systems to safeguard against this escalating threat.
