Fortinet firewalls hit by major data leak and zero-day flaw

Fortinet firewalls have been targeted in a significant data leak and a recently disclosed zero-day vulnerability, prompting action from cybersecurity firms and affected organisations.

Rapid7 has been investigating two distinct incidents related to Fortinet firewall products. The first involves a zero-day vulnerability, identified as CVE-2024-55591, which affects FortiOS and FortiProxy. This vulnerability is an authentication bypass flaw allowing remote adversaries to gain super-admin privileges by sending crafted requests to the Node.js websocket module.

The second incident concerns a data leak, traced back to a dark web post dated January 15, 2025, in which a threat actor known as "Belsen Group" released data purportedly from 15,000 FortiGate firewalls. This leaked information includes IP addresses, passwords, and firewall configuration settings, potentially threatening the affected organisations.

Security researcher Kevin Beaumont has conducted initial analyses of the leaked data, concluding that the information might originate from 2022. Rapid7, after engaging with affected entities, confirmed that some data matches records from 2022 when certain customer firewalls were compromised. Beaumont speculates that CVE-2022-40684, a previous Fortinet zero-day vulnerability, might have been exploited to obtain the exposed data, though no specific CVE has been attributed to the leak by Rapid7.

Details of the CVE-2024-55591 zero-day were released by Fortinet on January 14, 2025. Arctic Wolf, another cybersecurity firm, previously suggested the presence of a zero-day vulnerability targeting Fortinet firewall interfaces but did not confirm an initial access vector. Arctic Wolf's observations included unauthorised administrative logins, the creation of new accounts, and SSL VPN authentications via those accounts.

Despite confirming activity from IP addresses linked to the CVE-2024-55591 targeting campaign, Rapid7's threat hunters reported such actions as consistent with scanning or reconnaissance rather than outright exploitation.

Fortinet's advisory regarding CVE-2024-55591 outlines affected products and provides indicators of compromise (IOCs). It highlights affected versions, such as FortiOS 7.0.0 through 7.0.16, FortiProxy 7.2.0 through 7.2.12, and FortiProxy 7.0.0 through 7.0.19. Fixed versions are available, and customers are urged to update without delay.

Caitlin Condon, Director of Vulnerability Intelligence at Rapid7, emphasised, "Per Fortinet, other versions of FortiOS (6.4, 7.2, 7.4, 7.6) and FortiProxy (2.0, 7.4, 7.6) are not affected. Customers should update to a fixed version immediately, without waiting for a regular patch cycle to occur, and review Fortinet's IOCs to aid investigations into suspicious activity. Indicators include examples of administrative or local users added by adversaries."

Condon further advised safeguarding firewall management interfaces from public exposure and restricting administrative access via specific IP addresses.

For those affected by the FortiGate data leak, changing administrative and local user passwords is advised immediately. Implementing multi-factor authentication for local accounts is also strongly recommended by Rapid7.