BURSTA threat actor has reportedly advertised a zero-day exploit targeting Fortinet’s FortiGate firewalls on a prominent dark web forum.
The exploit claims to enable unauthenticated remote code execution (RCE) and full configuration access to FortiOS, allowing attackers to seize control of vulnerable devices without needing credentials.
This alarming development raises significant concerns about the security of Fortinet firewalls, widely used in enterprises and government agencies globally.
The forum post observed by ThreatMon boasts extensive capabilities, including access to sensitive configuration files extracted from compromised devices. These files purportedly contain:
- Local user credentials: Encrypted passwords stored in
local_users.json. - Admin account details: Permissions and trust relationships documented in
admin_accounts.json. - Two-factor authentication (2FA) status: Information on FortiToken configurations (
two_factor.json). - Firewall policies and network configurations: Complete rule sets, NAT mappings, internal IP assets, and address groups.
Such data could allow attackers to bypass security measures, infiltrate networks, and potentially launch further attacks. The exploit appears to target versions of FortiOS vulnerable to authentication bypass flaws, a recurring issue in Fortinet’s products.
Historical Context of Fortinet Vulnerabilities
Fortinet has faced multiple zero-day vulnerabilities in recent years. For example, earlier this year, the Belsen Group, a newly identified hacking entity, leaked configuration files for over 15,000 FortiGate firewalls.
That breach was linked to CVE-2022-40684, an authentication bypass vulnerability disclosed in October 2022. Despite being exploited two years ago, the leaked data remained relevant due to static firewall configurations.
More recently, Fortinet disclosed another critical vulnerability (CVE-2024-55591), enabling attackers to gain super-admin privileges through crafted requests.
This flaw impacted FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. These incidents highlight a troubling pattern of exploitation targeting Fortinet’s products.
The advertised zero-day exploit poses serious risks for organizations relying on Fortinet firewalls:
- Unauthorized Access: Attackers could gain administrative control over devices, modify configurations, and extract sensitive data.
- Network Compromise: Exploited firewalls could serve as entry points for network lateral movement.
- Data Breaches: Leaked credentials and configuration files could lead to exposure to confidential information.
- Operational Disruption: Altered firewall policies may disrupt normal network operations or create vulnerabilities for future attacks.
Given that over 300,000 Fortinet firewalls are reportedly at risk from similar RCE bugs, the scale of potential damage is vast.
Fortinet has consistently urged users to apply patches promptly to mitigate product vulnerabilities. The company has also released advisories detailing indicators of compromise (IOCs) and recommended security measures, such as disabling HTTP/HTTPS administrative interfaces or restricting access via local policies.
However, patch adoption remains challenging many devices exposed during past breaches were found unpatched months or years later.
As cybercriminals continue exploiting vulnerabilities in widely-used security products like Fortinet’s firewalls, organizations must prioritize proactive measures:
- Regularly update the firmware to the latest versions.
- Monitor network traffic for unusual activity.
- Implement strict access controls for administrative interfaces.
- Conduct periodic audits of firewall configurations.
This latest zero-day exploit underscores the evolving sophistication of cyber threats and the critical need for robust cybersecurity practices across all sectors.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial
The post Hackers Allegedly Selling FortiGate Firewall 0-Day Exploit on Dark Web Forum appeared first on Cyber Security News.