Patch procrastination leaves 50,000 Fortinet firewalls vulnerable to zero-day

Fortinet customers need to get with the program and apply the latest updates as nearly 50,000 management interfaces are still vulnerable to the latest zero-day exploit.

Data from the Shadowserver Foundation shows 48,457 Fortinet boxes are still publicly exposed and haven't had the patch for CVE-2024-55591 applied, despite stark warnings issued over the past seven days.

The situation has not improved over time either. Shadowserver began tracking the number of exposed appliances on January 16, two days after the CVE identifier for the zero-day was issued, and even then just shy of 52,000 instances were vulnerable.

Customers in Asia are the most exposed, with 20,687 vulnerable firewalls still reachable over the internet, while North America and Europe trail with 12,866 and 7,401 respectively.

A reminder to those still dawdling over patching this one, Fortinet confirmed CVE-2024-55591 is being actively exploited and it's also on CISA's KEV catalog. Don't be like the 86,000-plus customers who didn't patch the last one.

Speaking to The Register about the issue last week, Arctic Wolf Labs' lead threat intelligence researcher Stefan Hostetler said exploits have been widespread, opportunistic, and date back to December.

He added that once they've pwned their target, attackers appear to be stealing credentials and using them to worm their way through the victim's network with admin privileges. The rest of the details are still being gathered, but - needless to say - an intruder with admin access is not a welcome addition to the network.

"What we can say is that ransomware is not off the table," Hostetler said, citing similar tactics used in the past by the likes of Akira and Fog.

Fortinet's advisory has all the details about how to go about upgrading to a safe version of FortiOS and FortiProxy, or implementing a workaround in the meantime.

Rocky start

Like Ivanti, Fortinet has had a tricky start to 2025. Not only has it been dealing with CVE-2024-55591, but late last week the vendor also confirmed the Belsen Group's leaks were indeed genuine.

• Fortinet: FortiGate config leaks are genuine but misleading
• Miscreants 'mass exploited' Fortinet firewalls, 'highly probable' zero-day used
• China-linked group abuses Fortinet 0-day with post-exploit VPN-credential stealer
• Fortinet patches VPN app flaw that could give rogue users, malware a privilege boost

Thousands of configurations and passwords for Fortinet devices were posted online by a new band of criminals called the Belsen Group. They were stolen back in 2022 using a zero-day vulnerability but only made their way online recently.

Given some Fortinet customers' apparent lackadaisical attitude toward fixing security holes, if the previous few incidents are anything to go by, there's a chance that some of the victims of this breach may not have refreshed their security credentials since, leaving them vulnerable to fresh attacks.

Infosec watcher Kevin Beaumont said the victims were mainly SMBs, although some larger organizations and governments were also included.

Fortinet offered some relief, however, stating that if the usual security best practices have been followed since then, the risk of compromise is small. Devices purchased after December 2022 are all also unaffected.

Those who might still be at risk will be getting a call or email from Fortinet HQ soon, warning them of that fact and encouraging them to apply the vendor's recommended actions.

"If you are in scope, you may need to change device credentials and assess risk of firewall rules being publicly available," Beaumont said.

This year has started much the same for Fortinet as did the last, which The Reg described as the vendor's "hell week."

Two critical bugs and a bungled disclosure process later, and by early February Fortinet was cleaning up a variety of messes. It all culminated with the infamous (and false) toothbrush DDoS story, a claim published by a Swiss newspaper following a one-on-one briefing with one of the vendor's researchers.

As the story goes, Fortinet told a reporter about how a 3 million-device botnet was launching DDoS attacks on Swiss organizations (it wasn't), and recruited to the botnet were internet-connected toothbrushes with malware installed.

Once published, onlookers quickly rubbished the claims that Fortinet later tried to blame on translation issues, claiming the toothbrush attack was presented as a hypothetical, a mere "illustration of a given type of attack." The Swiss newspaper disputed this, saying the article was sent to the vendor for approval and was returned with no amendments made. ®