Fortinet warns of auth bypass zero-day exploited to hijack firewalls

Fortinet warns of auth bypass zero-day exploited to hijack firewalls

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Fortinet warns of auth bypass zero-day exploited to hijack firewalls

Information:

Fortinet is a leading cybersecurity company that protects organizations, service providers, and large government agencies worldwide from cyber threats. Fortinet empowers customers with deep threat intelligence and enables them to build intelligent defenses that keep their businesses running smoothly. To meet the ever-increasing demands for performance in today's and tomorrow's borderless networks, Fortinet's innovative Security Fabric architecture offers unparalleled security capabilities that can withstand any threat, whether it's in the network, applications, cloud, mobile, or IoT.

Incident :

This security flaw (tracked as CVE-2024-55591) impacts FortiOS 7.0.0 through 7.0.16, FortiProxy 7.0.0 through 7.0.19, and FortiProxy 7.2.0 through 7.2.12. Successful exploitation allows remote attackers to gain super-admin privileges by making malicious requests to the Node.js websocket module.

  Fortinet says attackers exploiting the zero-day in the wild are creating randomly generated admin or local users on compromised devices and are adding them to existing SSL VPN user groups or to new ones they also add.

  They've also been observed adding or changing firewall policies and other settings and logging in to SSLVPN using previously created rogue accounts "to get a tunnel to the internal network.

1.After logging in through the vulnerability, the logs will show a random source IP and destination IP:

type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"

2.After the threat actors create an admin user, a log will be generated with what appears to be a randomly generated user name and source IP address:

type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep"

     3.The security companies also warned that the attackers commonly used the following IP addresses in attacks:

  • 1.1.1.1
  • 127.0.0.1
  • 2.2.2.2
  • 8.8.8.8
  • 8.8.4.4
  1. Admin or Local user created by the TA is randomly generated. e.g:
  • Gujhmk
  • Ed8x4k
  • G0xgey
  • Pvnw81
  • Alg7c4
  • Ypda8a
  • Kmi8p4
  • 1a2n6t
  • 8ah1t6
  • M4ix9f

Solution :

  Fortinet also advised admins in today's advisory to disable the HTTP/HTTPS administrative interface or limit what IP addresses can reach the administrative interface

via local-in policies as a workaround.

 

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)

 

References :

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2025-22968

15/1/2025

15/1/2025

D-Link DWR-M972V 1.05SSG

Privilege Escalation

7.2

An issue in D-Link DWR-M972V 1.05SSG allows a remote attacker to execute arbitrary code via SSH using root account without restrictions.

no mitigation known

https://vuldb.com/?id.292010
2

CVE-2024-47572

14/1/2025

14/1/2025

FortiSOAR Ver.
7.2.1 through 7.2.2
7.3.0 through 7.3.2
7.4.0 through 7.4.1

CSV Injection

8.3

An improper neutralization of formula elements in a CSV file vulnerability in FortiSOAR may allow a remote authenticated attacker with user privileges to inject a malicious payload as a table record that can get executed on the target's machine upon being exported as a file by a high privileged user.

FortiSOAR 7.2 Upgrade to 7.2.3 or above
FortiSOAR 7.3 Upgrade to 7.3.3 or above
FortiSOAR 7.4 Upgrade to 7.4.2 or above

https://fortiguard.fortinet.com/psirt/FG-IR-24-210
3

CVE-2025-0447

15/1/2025

15/1/2025

Google Chrome before versions 132.0.6834.83

Remote Code Execution

6.0

Inappropriate implementation in Navigation in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to perform privilege escalation via a crafted HTML page.

Upgrade to 132.0.6834.83 or above

https://vuldb.com/?id.291925
 4

CVE-2025-23082

14/1/2025

14/1/2025

Veeam Backup for Microsoft Azure Ver. 7.0 and 7.1

Server-Side Request Forgery

7.2

Veeam Backup for Microsoft Azure is vulnerable to Server-Side Request Forgery (SSRF). This may allow an unauthenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

Upgrade to 7.1.0.59

https://www.veeam.com/kb4709
and
https://vuldb.com/?id.291396
5

CVE-2025-21133

14/1/2025

14/1/2025

Illustrator on iPad versions 3.0.7 and earlier

Integer Underflow

6.9

Illustrator on iPad versions 3.0.7 and earlier are affected by an Integer Underflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Upgrade to lastest version

https://vuldb.com/?id.291830

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

FunkSec Ransomware Campaign

13/01/2025

Ransomware

The FunkSec ransomware group emerged in late 2024, claiming over 80 victims in a single month. Characteristics include the use of artificial intelligence (AI) to develop attack tools, despite the group’s lack of technical expertise. FunkSec employs a double-extortion strategy, encrypting files and stealing victims’ data to extort ransom, and its motivations are a mix of political activism and cybercrime.
  • Train users to be careful about opening attachments and clicking on links from untrusted sources.
  • Avoid downloading applications or files from unverified sources.
  • Maintain updated antivirus software to detect and block malicious activities.

Ref:https://www.securityweek.com/emerging-funksec-ransomware-developed-using-ai/

04 February 2025

Viewed 76 time

Engine by shopup.com