Fortinet Firewalls Hit With New Zero-day Attack, Older Data Leak
Thumbnail
Rapid7 is investigating two significant incidents affecting Fortinet firewall users: a zero-day vulnerability (CVE-2024-55591) that allows remote attackers to gain super-admin privileges and a data leak involving 15,000 FortiGate firewalls. The leaked data, which includes sensitive information, is believed to be from incidents dating back to 2022. Affected: FortiOS, FortiProxy, FortiGate

Keypoints :

  • Rapid7 is examining two incidents involving Fortinet firewall customers.
  • CVE-2024-55591 is a zero-day vulnerability that allows authentication bypass in FortiOS and FortiProxy.
  • A dark web post revealed a data leak of 15,000 FortiGate firewall configurations, including IPs and passwords.
  • The leaked data appears to be from incidents that occurred in 2022.
  • Security researchers suggest that CVE-2022-40684 may have facilitated the data leak.
  • Fortinet has confirmed that CVE-2024-55591 is being exploited in the wild.
  • Mitigation steps include updating to fixed versions of FortiOS and FortiProxy.
  • Organizations are advised to implement multi-factor authentication for local accounts.

MITRE Techniques :

  • Authentication Bypass (CWE-288) – CVE-2024-55591 allows attackers to gain super-admin privileges via crafted requests.
  • Data Leak (T1071) – The Belsen Group leaked sensitive configuration data from FortiGate firewalls.
  • Initial Access (T1078) – CVE-2022-40684 may have been the initial access vector for the data leak.

Indicator of Compromise :

  • [file name] Configuration data from 15,000 FortiGate firewalls.
  • [others ioc] IP addresses associated with the threat campaign targeting CVE-2024-55591.
  • [tool name] Fortinet FortiOS.
  • [tool name] Fortinet FortiProxy.
  • Check the article for all found IoCs.

Full Research: https://blog.rapid7.com/2025/01/16/etr-fortinet-firewalls-hit-with-new-zero-day-attack-older-data-leak/