FortiGate 0-Day Exploit Hits Dark Web: Hackers Claim Full Firewall Access

A zero-day exploit targeting Fortinet’s FortiGate firewalls has reportedly appeared for sale on a prominent dark web forum, posing a significant threat to organizations worldwide.

The exploit allegedly enables unauthenticated remote code execution (RCE) and complete access to device configurations without requiring any credentials.

Exploit Capabilities and Potential Impact

According to observations by ThreatMon, the advertised exploit provides attackers with extensive access to critical configuration files from compromised devices, including:

• Encrypted local user passwords stored in local_users.json
• Administrator account details with permissions and trust relationships from admin_accounts.json
• Two-factor authentication configurations found in two_factor.json
• Complete firewall policies, NAT mappings, internal IP information, and network configurations

This level of access could enable attackers to compromise affected networks by bypassing security measures, extracting sensitive data, and establishing persistent access.

The exploit appears to target FortiOS versions vulnerable to authentication bypass vulnerabilities, which have been a recurring weakness in Fortinet products.

Historical Context of Fortinet Vulnerabilities

This latest threat continues a concerning pattern of security issues affecting Fortinet products:

• Earlier this year, the Belsen Group leaked configuration files from over 15,000 FortiGate firewalls, exploiting CVE-2022-40684, an authentication bypass vulnerability disclosed in October 2022
• Despite being two years old, the leaked data remained relevant due to the static nature of many firewall configurations
• More recently, Fortinet disclosed CVE-2024-55591, a critical vulnerability allowing attackers to gain super-admin privileges through specially crafted requests
• This flaw affected FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12

Security Implications

Organizations using Fortinet firewalls face several serious risks:

• Unauthorized administrative access to security infrastructure
• Network compromise through lateral movement
• Potential data breaches from extracted credentials and configuration details
• Operational disruptions from modified firewall policies
• Backdoor creation for future attacks

With reports indicating over 300,000 Fortinet firewalls potentially vulnerable to similar RCE vulnerabilities, the scale of this threat is substantial.

Recommended Protective Measures

Fortinet has consistently urged users to implement security updates promptly.

Organizations should consider these protective steps:

• Immediately update the firmware to the latest patched versions
• Implement strict access controls for administrative interfaces
• Disable HTTP/HTTPS administrative access or restrict through local policies
• Monitor network traffic for unusual activity patterns
• Conduct thorough audits of existing firewall configurations

This emerging threat highlights the critical importance of maintaining vigilant cybersecurity practices, particularly for security infrastructure components that serve as the first line of defense against external threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates