Select your country

BelgiumBelgium

ChinaChina

DenmarkDenmark

FranceFrance

GermanyGermany

GlobalGlobal

Maghreb & West AfricaMaghreb & West Africa

NetherlandsNetherlands

NorwayNorway

South AfricaSouth Africa

SwedenSweden

SwitzerlandSwitzerland

United KingdomUnited Kingdom

Not finding what you are looking for, select your country from our regional selector:

Search

  1. Orange Cyberdefense
  2. Insights
  3. Blog
  4. CERT-News
  5. Threat actors exploit a probable 0-day in exposed management consoles of Fortinet FortiGate firewalls

Threat actors exploit a probable 0-day in exposed management consoles of Fortinet FortiGate firewalls

Share

Summary

Arctic Wolf described a campaign targeting FortiGate firewalls with exposed management interfaces. Attackers exploited a 0-day vulnerability to create new admin accounts and configure SSL VPN connections, gaining super-admin access. Link for our Vulnerability Intelligence feed (MVI-watch) customers here).  

No CVE has been assigned by Fortinet. 

This activity began in mid-November 2024, evidenced by extensive use of the “jsconsole” interface from unusual IP addresses. Attackers created administrator accounts and set up SSL VPN tunnels. 

Organizations should disable public access to firewall management interfaces immediately and check for suspicious behaviors to minimize attack risks. 

What you should do

We advise organizations to immediately disable public access to firewall management interfaces, by limiting the IP addresses that can reach the HTTP/HTTPS administration interface via a local policy to restrict access only to a predefined group on the management interface (e.g., port1). 

It is also advised to hunt for suspicious new or updated accounts from mid-November, and check if your devices have any open ports for unknown reasons (particularly 4433, 59449, and 59450). 

A IPS rule may have been provided by the vendor but needs to be manually configured. 

The Orange Cyberdefense CERT is tracking developments regarding this vulnerability and publishes World Watch advisories updates as new relevant information on this matter becomes available. More information on how to access this can be found here.   

Orange Cyberdefense’s Datalake platform provides access to Indicators of Compromise (IoCs) related to this threat, which are automatically fed into our Managed Threat Detection services. This enables proactive hunting for IoCs if you subscribe to our Managed Threat Detection service that includes Threat Hunting. If you would like us to prioritize addressing these IoCs in your next hunt, please make a request through your MTD customer portal or contact your representative. 

Orange Cyberdefense’s MTI [protect] service offers the ability to automatically feed network-related IoCs into your security solutions. To learn more about this service and to find out which firewall, proxy, and other vendor solutions are supported, please get in touch with your Orange Cyberdefense Trusted Solutions representative. 

Please feel free to contact Orange Cyberdefense CERT if you suspect any potential compromise or if you require remediation expertise regarding this matter.  

Additional information on exploitation

Arctic Wolf Labs analyzed a recent attack on Fortinet FortiGate devices, discovering sophisticated, persistent tactics. The 0-day vulnerability remains undisclosed by Fortinet and lacks a CVE number. Arctic Wolf warns that the vulnerability leaves no obvious traces in standard security logs, complicating immediate detection. 

The campaign starts with attackers using automated scanners to find FortiGate devices online. They exploit an unknown 0-day vulnerability to bypass authentication and gain super-admin access. This access lets them perform various malicious actions. Arctic Wolf observed attackers creating hidden admin accounts that resemble legitimate ones, complicating detection. These accounts give attackers full control over the device, allowing configuration changes, security feature disablement, and backdoor setups for future access. 

Attackers used SSL VPN connections to conceal their traffic and impersonate users, enabling them to exfiltrate data, deploy malware, and access other network areas undetected. Arctic Wolf reports that these actors often changed VPN portal ports like 4433, 59449, and 59450 between sessions. The encrypted traffic through these VPNs makes detecting malicious activities more challenging. 

Arctic Wolf reveals that attackers alter device settings to avoid detection and stay on compromised networks longer. They manipulate logs, change configurations to block updates, and create scheduled tasks to reopen backdoors if removed. 

Beyond Vulnerability Management 

The latest Security Navigator 2025 from Orange Cyberdefense underscores the growing risks associated with unpatched vulnerabilities, highlighting the need for organizations to adopt a proactive approach to vulnerability management.  

Orange Cyberdefense reviewed over 32,000 distinct CVEs in client’s environments, noting that patching delays create substantial risks for exploitation. VPNs and similar technologies are particularly at risk, as they often become prime targets for attackers due to their exposure and critical role in securing organizational networks.  

To address these risks, Orange Cyberdefense advocates for adopting a threat-informed approach, including:  

  • Prioritization Using Advanced Tools: Leveraging systems like the Exploit Prediction Scoring System (EPSS) to focus on vulnerabilities most likely to be exploited, including high-severity zero-days.  

  • Vendor Collaboration: Proactively engaging with vendors to expedite patch availability and implementation.  

  • Holistic Vulnerability Management: Moving beyond reactive patching to a proactive strategy that incorporates continuous monitoring, timely patch deployment, and addressing root causes of systemic flaws.  

 

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT