This vulnerability allows remote attackers to gain superadministrator privileges on compromised devices, such as firewalls and SSL VPNs. The flaw is exploited through malicious requests to the WebSocket module of Node.js, enabling unauthenticated access to the administration panels.
The vulnerability affects FortiOS versions from 7.0.0 to 7.0.16, and FortiProxy versions from 7.0.0 to 7.0.19 and from 7.2.0 to 7.2.12. It is important to note that the latest versions of these products are not affected, so customers who keep their systems updated are protected from this vulnerability. Fortinet has released patches to address the issue and strongly recommends that organizations apply the updates immediately.
Attackers exploiting this vulnerability have been observed carrying out a series of malicious actions, such as the following:
Active campaign since November
Fortinet has confirmed that active exploitation began in mid-November 2024. The attacks targeted FortiGate firewalls with exposed management interfaces to the Internet. The attackers carried out a four-phase cycle:
Vulnerability Scanning: From November 16 to 23.
System Reconnaissance: From November 22 to 27.
SSL VPN Configuration: From December 4 to 7.
Lateral Movement within Networks: From December 16 to 27.
How to know if your system has been compromised?
Check the versions of FortiOS and FortiProxy installed on your devices to identify if your system has been compromised. Additionally, review the logs for signs of suspicious activity:
-
Check activity logs for suspicious behavior.
-
Identify unauthorized configurations, such as modified firewall policies or users added without your authorization.
How can Sofistic help you?
At Sofistic, we offer specialized services to protect your infrastructure against this threat:
