Current CyberSecurity Advisories

FortiOS & FortiProxy – Authentication bypass in Node.js websocket module vulnerability

Request a Call Back
Release date
15 January 2025
Alert rating
Critical

Description

Fortinet has released information regarding an identified vulnerability in FortiOS version 7.0 and FortiProxy versions 7.0 and 7.2 instances. ASD’s ACSC recommends customers follow the advice contained in Fortinet’s notification.

Audience

Small & medium businessesOrganisations & Critical InfrastructureGovernment

Current update

This alert is relevant to Australian Organisations who utilise affected Fortinet products. This alert is intended to be understood by technical users.

Customers are encouraged to upgrade to the latest version of FortiOS and FortiProxy and apply the mitigations, as detailed in the Fortinet notification.

Background / What has happened?

  • Fortinet has identified a critical vulnerability in FortiOS and FortiProxy. The vulnerability may allow an unauthenticated remote attacker to gain “super-admin” privileges.
  • The Fortinet vulnerability notification describes possible Indicators of Compromise (IOCs) and IPs associated the threat actor, which may assist in identifying suspicious activity.
  • Fortinet has observed active exploitation of this vulnerability.
  • Fortinet advises that threat actors have been observed performing the following post exploitation activities:
  • Creating an admin account on the device with a random user name.
    • Creating a Local User account on the device using a random name.
    • Creating a user group or adding the above local user to an existing sslvpn user group.
    • Adding/changing other settings (firewall policy etc.)
    • Logging in the sslvpn with the above-added local users to get a tunnel to the internal network.
  • Affected versions/applications:
    • FortiOS version 7.0 7.0.0 through 7.0.16
    • FortiProxy version 7.0 7.0.0 through 7.0.19
    • FortiProxy version 7.2 7.2.0 through 7.2.12

Mitigation / How do I stay secure?

The ASD’s ACSC recommends businesses, organisations and government entities:

  • Follow Fortinet’s published advice for affected versions.
  • Upgrade to the latest FortiOS and FortiProxy versions.
  • Investigate for potential compromise of these products, leveraging the published IOCs.
  • Monitor and investigate for suspicious activity in connected environments.

Further information and details can be found in Fortinet’s vulnerability notification.

Assistance / Where can I go for help?

Organisations that have been impacted, suspect impact or require advice and assistance can contact us via 1300 CYBER1 (1300 292 371) or asd.assist@defence.gov.au

Source
https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/fortios-fortiproxy-authentication-bypass-nodejs-websocket-module-vulnerability
Back

Protect your assets with Predictive

Find out More
TisaAssist bot
🤖 Hello, how can I assist you today?
I can help you with:
✅ Answer questions related to the website.
✅ Help you understand things you don't know.
❓ What's Tisalabs
💻 What's IoT
🔒 Why sensor data must be protected?