Fortinet stays mum on critical 0-day reportedly under active exploitation

Estimated read time 2 min read


Fortinet, a maker of network security software, has kept a critical vulnerability under wraps for more than a week amid reports that attackers are using it to execute malicious code on servers used by sensitive customer organizations.

Fortinet representatives didn’t respond to emailed questions and have yet to release any sort of public advisory detailing the vulnerability or the specific software that’s affected. The lack of transparency is consistent with previous zerodays that have been exploited against Fortinet customers. With no authoritative source for information, customers, reporters, and others have few other avenues for information other than social media posts where the attacks are being discussed.

RCE stands for remote code execution

According to one Reddit post, the vulnerability affects FortiManager, a software tool for managing all traffic and devices on an organization’s network. Specific versions vulnerable, the post said, include FortiManager versions:

  • 7.6.0 and below
  • 7.4.4 and below
  • 7.2.7 and below
  • 7.0.12 and below
  • 6.4.14 and below

Users of these versions can protect themselves by installing versions 7.6.1 or above, 7.4.5 or above, 7.2.8 or above, 7.0.13 or above, or 6.4.15 or above. There are also reports that the cloud-based FortiManager Cloud is vulnerable as well.

Some administrators of FortiGate-powered networks report receiving emails from the company notifying them of the available updates and advice to install them. Others say they received no such emails. Fortigate hasn’t published any sort of public advisory or a CVE designation for security practitioners to track the zeroday.

The vulnerability has been discussed since at least October 13. According to independent researcher Kevin Beaumont, the security bug stems from a default FortiManager setting that allows devices with unknown or unauthorized serial numbers to register themselves into an organization’s FortiManager dashboard. Precise details still aren’t clear, but a now-deleted comment on Reddit indicated that the zeroday allows attackers to “steal a Fortigate certificate from any Fortigate, register to your FortiManager and gain access to it.”

Citing the Reddit comment, Beaumont took to Mastodon to explain: “People are quite openly posting what is happening on Reddit now, threat actors are registering rogue FortiGates into FortiManager with hostnames like ‘localhost’ and using them to get RCE.”



Source link

You May Also Like

More From Author

+ There are no comments

Add yours