Rapid7 is investigating two significant incidents affecting Fortinet firewall users: a zero-day vulnerability (CVE-2024-55591) that allows remote attackers to gain super-admin privileges and a data leak involving 15,000 FortiGate firewalls. The leaked data, which includes sensitive information, is believed to be from incidents dating back to 2022. Affected: FortiOS, FortiProxy, FortiGate
Keypoints :
- Rapid7 is examining two incidents involving Fortinet firewall customers.
- CVE-2024-55591 is a zero-day vulnerability that allows authentication bypass in FortiOS and FortiProxy.
- A dark web post revealed a data leak of 15,000 FortiGate firewall configurations, including IPs and passwords.
- The leaked data appears to be from incidents that occurred in 2022.
- Security researchers suggest that CVE-2022-40684 may have facilitated the data leak.
- Fortinet has confirmed that CVE-2024-55591 is being exploited in the wild.
- Mitigation steps include updating to fixed versions of FortiOS and FortiProxy.
- Organizations are advised to implement multi-factor authentication for local accounts.
MITRE Techniques :
- Authentication Bypass (CWE-288) – CVE-2024-55591 allows attackers to gain super-admin privileges via crafted requests.
- Data Leak (T1071) – The Belsen Group leaked sensitive configuration data from FortiGate firewalls.
- Initial Access (T1078) – CVE-2022-40684 may have been the initial access vector for the data leak.
Indicator of Compromise :
- [file name] Configuration data from 15,000 FortiGate firewalls.
- [others ioc] IP addresses associated with the threat campaign targeting CVE-2024-55591.
- [tool name] Fortinet FortiOS.
- [tool name] Fortinet FortiProxy.
- Check the article for all found IoCs.
Full Research: https://blog.rapid7.com/2025/01/16/etr-fortinet-firewalls-hit-with-new-zero-day-attack-older-data-leak/