Full Report
The federal government and multiple cybersecurity firms warned of a zero-day vulnerability in FortiGate firewalls that hackers are actively exploiting.
Analysis Summary
# Vulnerability: Active Exploitation of FortiGate Firewall Zero-Day
## CVE Details
- CVE ID: CVE-2024-55591
- CVSS Score: Not explicitly provided, but implied **Critical** given active exploitation and CISA emergency directive.
- CWE: Not explicitly provided.
## Affected Systems
- Products: FortiGate Firewalls
- Versions: Not specified in the text, but all exposed devices are implied to be at risk until patched.
- Configurations: Systems with public-facing interfaces exposed on the internet were targeted.
## Vulnerability Description
A zero-day vulnerability exists in FortiGate firewalls that is currently being actively exploited in the wild by threat actors. Successful exploitation allows attackers to create administrative accounts on targeted devices and modify firewall policy settings.
## Exploitation
- Status: **Exploited in the wild** (Confirmed by Fortinet and threat intelligence reports).
- Complexity: Implied to be manageable by active threat actors.
- Attack Vector: Network (targeting public-facing interfaces).
## Impact
- Confidentiality: High (Attackers can gain admin access, potentially exposing sensitive network information).
- Integrity: High (Ability to change firewall policies and create administrative accounts).
- Availability: Potentially High (Manipulation of firewall settings can disrupt service).
## Remediation
### Patches
- Fortinet advisory referenced: `FG-IR-24-535`. Administrators must apply the official patch detailed in the vendor advisory.
- **CISA ordered federal civilian agencies to patch by January 21.**
### Workarounds
- Immediately review and audit existing administrative accounts for unauthorized creations.
- Harden public-facing interfaces and restrict access strictly to necessary inbound/outbound traffic rules.
- Immediately look for signs of compromise outlined by Fortinet in their advisory.
## Detection
- **Indicators of Compromise (IoCs):** Creation of new, unauthorized administrative accounts; unexpected changes to firewall policies.
- **Detection Methods and Tools:** Review logs for suspicious login/logout events or configuration changes consistent with administrative activity. Incident responders noted seeing signs consistent with scanning/reconnaissance activity as well.
## References
- Vendor Advisory: hXXps://www.fortiguard.com/psirt/FG-IR-24-535
- Threat Intelligence (Arctic Wolf): hXXps://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/
- Incident Response Analysis (Rapid7): hXXps://www.rapid7.com/blog/post/2025/01/16/etr-fortinet-firewalls-hit-with-new-zero-day-attack-older-data-leak/
---
***Note on Historical Context:*** *The article also mentioned an older, related vulnerability, **CVE-2022-40684**, where leaked firewall configurations for ~15,000 devices were released, suggesting administrators must also confirm patching status for this historical flaw, as configurations may have been stolen years ago.*