Fortinet Firewalls Targeted Amid Potential Zero-Day Exploit

Suspected Zero-Day Flaw Driving Fortinet Firewall Attacks

A suspected zero-day vulnerability is likely behind a wave of attacks targeting Fortinet FortiGate firewalls with management interfaces exposed to the public Internet. Attackers are exploiting these devices to gain unauthorised administrative access, create new accounts, alter configurations, and authenticate through SSL VPNs, according to Arctic Wolf researchers.

Arctic Wolf first identified suspicious activity on FortiGate firewalls in early December. Affected devices ran firmware versions between 7.0.14 and 7.0.16, and threat actors leveraged compromised management interfaces to manipulate firewall settings. In some cases, attackers used DCSync techniques to extract credentials.

The researchers believe the rapid timeline and consistent targeting suggest an undisclosed vulnerability is being exploited. However, the exact attack vector has not been confirmed.

Opportunistic Targeting and Tactics

Arctic Wolf noted the campaign's victims were not limited to a specific industry or organisation size, indicating opportunistic targeting. Attackers frequently used Fortinet’s jsconsole command-line interface, accessed via the web-based management portal, a feature that logs administrative changes and IP addresses.

The campaign unfolded in four distinct phases from November to December 2024: vulnerability scanning, reconnaissance, SSL VPN configuration, and lateral movement. Arctic Wolf noted ongoing activity, with multiple intrusions showing subtle variations in tactics and infrastructure.

Recommendations for Defense

To reduce risk, organisations should avoid exposing Fortinet management interfaces to the public Internet, limit access to trusted internal users, and regularly update device firmware to address security flaws. Arctic Wolf also advises enabling syslog monitoring on all firewall devices to detect suspicious activity early.