Hackers demolish FortiGate firewalls

Fortinet reports a serious vulnerability in its FortiGate firewalls. A patch is available, but that may already be too late for many companies.

Security vendor Fortinet has shared a bulletin detailing vulnerabilities in FortiOS and FortiProxy, the software running on the company’s FortiGate firewalls. These are currently under active attack by attackers. The vulnerability allows attackers to bypass authentication and remotely grant themselves superadmin privileges in order to wander freely around the corporate network.

Fighting with equal weapons: how AI can help devise a more efficient SecOps strategy?

Fortinet warns that the vulnerability is currently being actively exploited and asks customers to update as soon as possible. That advice is echoed by U.S. cybersecurity agency CISA. With a CVSS score of 9.6 on a scale of 10, the vulnerability is labeled “critical.

In the bulletin, Fortinet lists the affected versions of FortiOS and FortiProxy. FortiOS 7.0 to 7.0.16 are affected and should be updated to version 7.0.17 or newer. For FortiProxy, versions 7.0 to 7.0.19 and 7.2 to 7.2.12 are vulnerable. Again, upgrading to a secure version is the message to keep FortiGate ports allowed.

Band-aid on the wound

The patch may come too late this time. Security firm Arctic Wolf noticed a spike in “suspicious activity” around FortiGate firewalls in December. At that time, the vulnerability was still a zero-day not on Fortinet’s radar. How many companies might have been affected during that period is unknown. Further research is needed to estimate the impact of the vulnerability, Arctic Wolf concludes his previous analysis.

In addition to installing firmware updates, FortiGate users are urged to search logs for signs of abuse and block management interfaces on the public Internet connection. Arctic Wolf Labs emphasizes that such interfaces should only be accessible to internal users. Misconfigurations that allow external access significantly increase the attack surface and risk of misuse.

48,000 vulnerable firewalls

According to figures from ShadowServer, there are 48,146 firewalls spread around the globe that are vulnerable. These are devices whose owners have not read Fortinet’s advice and thus have not yet installed the patch. There are 20,000 vulnerable firewalls in Asia and a good 7,000 in Europe. In Belgium, the counter stands at a modest 149, but we hope that these companies will take notice and take action.

Fortinet completely missed the start of 2025. In addition to this vulnerability, an old leak from 2022 has also come back to business, leaking data from 15,000 FortiGate devices. Above all, it shows that no one tool can provide complete protection, especially a firewall. Those without additional defenses are a bird for the cat once attackers get past the firewall.