Mass Exploitation of FortiGate Devices Underway
Security researchers are warning of widespread exploitation campaigns targeting Fortinet FortiGate firewalls. The Shadowserver Foundation estimates over 50,000 devices have been compromised globally.
Campaign Overview
The attacks leverage a combination of vulnerabilities:
- CVE-2024-21762: Authentication bypass (patched Dec 2024)
- CVE-2025-47889: Configuration exposure (patched Oct 2025)
- Attackers are chaining these for persistent access
Scale of Exploitation
According to Shadowserver Foundation data:
| Region | Compromised Devices |
|---|---|
| North America | 12,400 |
| Europe | 15,800 |
| Asia-Pacific | 18,200 |
| Other | 4,600 |
Attack Chain
Researchers have documented the typical attack flow:
- Initial Access: Exploit CVE-2024-21762 for authentication bypass
- Persistence: Create hidden admin accounts
- Configuration Theft: Extract VPN credentials and firewall rules
- Lateral Movement: Use stolen VPN creds for network access
- Long-term Access: Install persistent backdoors
Indicators of Compromise
Suspicious Admin Accounts
Check for unexpected administrative users:
# Look for accounts created after compromise date
# Common malicious usernames observed:
- support_tech
- fgt_admin
- system_backup
- maintenanceModified Files
# Files commonly modified:
/data/config/current-config
/data/etc/admin-pass
/data/lib/libauth.soDetection Steps
- Review all admin accounts and their creation dates
- Audit VPN user logs for anomalies
- Check for configuration changes
- Review outbound connections from firewall
- Verify firmware hasn't been modified
Fortinet's Response
Fortinet has issued updated guidance:
- Verify running latest firmware version
- Enable and review audit logging
- Implement network segmentation
- Consider temporary VPN disable if suspected compromise
Recommended Actions
Immediate
- Update to latest FortiOS version
- Audit all administrator accounts
- Rotate all administrative credentials
- Review recent configuration changes
Short-term
- Enable comprehensive logging
- Implement configuration backup monitoring
- Deploy network detection capabilities
- Review firewall rules for unauthorized changes
If Compromised
- Isolate affected devices
- Preserve forensic evidence
- Reset to factory and restore known-good config
- Assume VPN credentials are compromised
Patch Information
| FortiOS Version | Status |
|---|---|
| 7.4.x | Update to 7.4.3 or later |
| 7.2.x | Update to 7.2.8 or later |
| 7.0.x | Update to 7.0.16 or later |
| 6.4.x | End of support - upgrade |
Expert Analysis
"Organizations need to treat firewall compromises as full network compromises," warned a threat researcher. "Attackers gaining access to firewall configurations have visibility into the entire network architecture."
Sources: Fortinet PSIRT, Shadowserver Foundation, BleepingComputer