Where are the Fortinet admins? Nearly 50K devices left unpatched and widely exploited


Nearly 50,000 vulnerable Fortinet devices are still accessible online despite the rushed patch addressing a widely exploited zero-day. Security authorities are sounding alarms. The critical flaw is an open door, allowing hackers to gain super-admin privileges.

As of January 23rd, nine days after the initial discovery and patch, the Shadowserver Foundation tracks nearly 8,000 vulnerable Fortinet devices in the US, almost 6,000 in India, and over 3,000 in Brazil.

In total, over 47,000 Fortinet devices around the globe remain unpatched for a critical vulnerability.

ADVERTISEMENT

In an ongoing malicious campaign, hackers are gaining access to exposed Fortinet firewall management interfaces, altering the configurations, and extracting credentials. Security firm Arctic Wolf said the malicious activity began several weeks before the disclosure of the flaw.

The authentication bypass vulnerability (CVE-2024-55591) has a severity rating of 9.8 out of 10.

“Threat actors were then observed creating new administrative accounts, granting VPN access to the newly-created users, and making other configuration changes. All affected customers were found to be exposing the FortiGate management web interface to the public internet,” Arctic Wolf researchers noted.

The patch has been available since January 14th. Following the disclosure, the German cybersecurity authority BSI issued a ‘very high threat level’ alert, and the Cybersecurity and Infrastructure Security Agency (CISA) directed federal agencies to apply mitigations by January 21st.

Ernestas Naprys Niamh Ancell BW Marcus Walsh profile Paulius Grinkevicius
Don’t miss our latest stories on Google News

“IT security officers should immediately update devices in operation to the secured FortiOS or FortiProxy and thoroughly check products with FortiOS 7.0 and affected FortiProxy 7.2 and 7.0 for compromise,” BSI said.

Data from the Shadowserver Foundation indicates the rate at which vulnerable Fortinet instances are being patched remains sluggish. One week ago, the organization had tracked a similar number, over 52,000 accessible devices susceptible to the flaw.

We are sharing daily results of Fortinet CVE-2024-55591 (auth bypass) vulnerable instances in our Vulnerable HTTP report - shadowserver.org/what-we-do/n... CVE-2024-55591 is known to be exploited in the wild. Around 50K found vulnerable: dashboard.shadowserver.org/statistics/c...

[image or embed]

undefined The Shadowserver Foundation (@shadowserver.bsky.social) January 20, 2025 at 2:42 PM
ADVERTISEMENT

Previous vulnerabilities affecting Fortinet devices were abused by state-sponsored threat actors.

In 2022 and 2023, the China-linked hackers gained access to at least 20,000 FortiGate systems worldwide within a few months.

Shadowserver Foundation recommends that security teams check for signs of compromise. Indicators of compromise (IoCs) can be found in Fortinet’s advisory, additional IoCs are available in Arctic Wolf’s report.