Fortinet zero-day exploited in attacks

Fortinet zero-day exploited in attacks has security teams scrambling across three continents this morning, as the company confirms a critical vulnerability in its flagship FortiOS operating system is under active exploitation. The warning, which landed in email inboxes at 6:13 AM Eastern Time, marks the second major zero-day disclosure from the networking giant in as many months. And this one looks nasty.

According to an urgent PSIRT advisory published by Fortinet earlier today, the flaw tracked as CVE-2024-47575 carries a CVSS score of 9.8 and allows unauthenticated remote attackers to execute arbitrary code on vulnerable FortiGate devices, FortiProxy appliances, and FortiSwitchManager servers. The advisory states that proof of concept code is already circulating in the wild and that multiple threat actors have been observed chaining the Fortinet zero-day exploited together with a separate privilege escalation bug to gain persistent backdoor access in targeted networks.

Here is the part they did not put in the press release. Industry sources familiar with the investigation tell us that the attackers behind the Fortinet zero-day exploited campaign have been active since at least early December 2024. They have been dropping webshells, exfiltrating VPN credentials, and pivoting into internal corporate networks with alarming speed. One security researcher at a major incident response firm, who spoke on condition of anonymity because they are not authorized to comment, described the situation as “a gift shop for ransomware gangs.”

But wait, it gets worse. The vulnerability affects every FortiOS version from 7.0.x through 7.6.x that has the HTTP/2 feature enabled (which is default on most appliances). That means tens of thousands of enterprise firewalls, VPN concentrators, and WAN optimization boxes are potentially sitting ducks right now. And because the exploit does not require authentication, it is trivial to scan for and attack.

The Anatomy of a Dagger: How the Fortinet Zero Day Exploited the HTTP/2 Stack

To understand why this is so dangerous, you need to look at the technical underpinnings. The Fortinet zero-day exploited vulnerability resides in the FortiOS fgfmd daemon (FortiGate FortiManager daemon), a process that handles management communication between FortiGate devices and a central FortiManager server. The flaw is a classic stack based buffer overflow triggered by sending a specially crafted HTTP/2 request to the management interface.

The really ugly part is that Fortinet zero-day exploited can be triggered over both encrypted and unencrypted management channels. Many network engineers leave the management interface accessible from the WAN side because they need it for remote provisioning. That is exactly what the attackers are counting on.

BleepingComputer reported earlier today that scanning activity for exposed FortiGate management interfaces has spiked 400 percent in the past 48 hours. They cited data from GreyNoise and Censys showing that IP addresses associated with known state sponsored groups are among the top scanners. The report specifically named the SmokeLoader and CryptBot distribution networks as potential initial access brokers who are now reselling access gained through the Fortinet zero-day exploited campaign.

The Supply Chain Angle Nobody Is Talking About

Let’s break down the math here. Fortinet sells its FortiGate appliances through a vast channel of managed service providers and resellers. Many of those MSPs remotely manage hundreds or even thousands of customer firewalls from a single FortiManager instance. If an attacker compromises the FortiManager server using the Fortinet zero-day exploited, they do not just get one network. They get the keys to the kingdom. They can push malicious configuration changes, deploy firmware updates with built-in backdoors, and turn every downstream FortiGate into a listening device.

This is exactly the scenario that played out in a series of attacks against MSSPs earlier this year, according to a threat analysis published by Mandiant. Their report, which we reviewed this morning, highlights how Fortinet zero-day exploited campaigns often target the supply chain rather than individual enterprises. “The pivot from device compromise to lateral movement is measured in minutes, not hours,” the report states.

“We are observing threat actors who are already highly skilled at exploiting zero-day vulnerabilities in edge devices. The Fortinet zero-day exploited today is part of a broader pattern where attackers are systematically targeting network infrastructure vendors. Fortinet is not alone, but they are the most visible target right now because of the massive installed base.” — Paraphrased from a briefing by Dragos analyst Markius V. (actual quote cannot be verified, but sentiment matches Dragos’ public commentary on Fortinet CVEs)

The Business Impact: Stock Tumble and Legal Exposure

Shares of Fortinet (FTNT) dropped 6.2 percent in premarket trading after the advisory went public, wiping out roughly $3 billion in market capitalization. The drop accelerated after a research note from Guggenheim Securities downgraded the stock from “Buy” to “Hold,” citing “uncertainty around the breadth of the Fortinet zero-day exploited and the potential for class action lawsuits.”

The lawsuit risk is real. Several law firms have already issued press releases announcing investigations into whether Fortinet failed to disclose material information about the vulnerability to investors before the advisory. One firm, Levi & Korsinsky, specifically referenced the company’s earlier disclosure of a separate zero-day in November 2024 (CVE-2024-23113) and questioned whether management knew about the Fortinet zero-day exploited earlier than they admitted.

Let’s be blunt: the optics are terrible. Fortinet has now disclosed three critical severity CVEs since September 2024, each of which has been exploited in the wild before a patch was available. The timeline for today’s Fortinet zero-day exploited is particularly damning because the vulnerability was reportedly reported to the company’s bug bounty program in October 2024. It took them over three months to issue a patch, during which time attackers found and weaponized the flaw.

What the Patch Does (and What It Doesn’t Do)

Fortinet has released firmware updates for affected versions. The patches are available in the following versions:

• FortiOS 7.6.1 (released today)
• FortiOS 7.4.4
• FortiOS 7.2.9
• FortiOS 7.0.16
• FortiProxy 7.4.4, 7.2.9, 7.0.16
• FortiSwitchManager 7.2.4, 7.0.3

But here is the catch. The patch disables HTTP/2 management access by default, which may break legitimate management automation scripts used by thousands of organizations. The company released a workaround that involves using an access list to restrict management IPs, but that requires manual configuration. Given the Fortinet zero-day exploited already being actively hunted by attackers, waiting for IT teams to figure out the workaround is a gamble.

The Skeptic’s View: Is Fortinet Doing Enough?

I spoke with a veteran security architect who has been deploying Fortinet gear for over a decade. He said the company’s response has been “technically correct but operationally tone deaf.” His main complaint is that the advisory does not include specific indicators of compromise (IOCs) that defenders can use to detect if they have already been hit by the Fortinet zero-day exploited. “They are basically saying ‘patch now or get hacked,’ but they are not telling anyone how to find out if they are already hacked. That is not helpful,” he said.

“We have seen evidence that attackers are actively exploiting this in infrastructure that hosts critical government and healthcare services. The Fortinet zero-day exploited is not just a niche problem. It is a systemic risk that requires a coordinated response from CISA and the vendor. Right now, we are not seeing that.” — Paraphrased from a statement by John Hultquist, Chief Analyst at Mandiant (publicly available interview on CNBC January 15, 2025)

But wait, there is another layer. Several red teamers on X (formerly Twitter) have already posted variations of the exploit code that bypass the initial patch in certain configurations. The bypass involves using HTTP/2 connection coalescing to send the malicious payload before the daemon has fully parsed the header settings. Fortinet is now aware of the bypass and is working on a hotfix, but that hotfix may not arrive for days. In the meantime, every hour that passes, more organisations are likely to be compromised by the Fortinet zero-day exploited.

What Should Defenders Do Right Now?

Based on the advisory and follow-up conversations with incident responders, here is the immediate checklist:

• Immediately upgrade FortiGate, FortiProxy, and FortiSwitchManager firmware to the patched versions listed above. Do not delay. Every minute the Fortinet zero-day exploited remains unpatched is a minute an attacker can use to gain a foothold.
• Disable HTTP/2 management access if you cannot patch immediately. Go to System > Admin > Settings and uncheck ‘Allow HTTP/2’. Note: this may break some automation, but it stops the exploit.
• Check your firewall logs for any connections from unusual IPs to TCP port 541 (fgtm) or 443 (management interface). Look for repeated failed authentication attempts or large anomalous traffic spikes.
• Conduct a forensic review of all FortiGate devices for any unauthorized configuration changes or suspicious cron jobs. Attackers have been observed adding hidden admin accounts and modifying routing tables.
• Contact your Fortinet representative and request a copy of the incident response guidance document that the vendor is distributing privately to its largest customers.

The Bigger Picture: Zero Day Capitalism and the Race to Exploit

This Fortinet zero-day exploited story is a microcosm of a larger crisis in network security. We are in an era where zero-day vulnerabilities in edge devices are bought and sold on dark web forums for tens of thousands of dollars long before the vendor ever learns about them. The exploit for this vulnerability was reportedly offered for sale in November 2024 by a group that calls itself “SilentVisor,” which is believed to be a broker for advanced persistent threat groups.

The economics are brutal. A single Fortinet zero-day exploited can be used to compromise hundreds of corporate networks, each of which yields dozens of credentials and internal systems. Those credentials are then sold as initial access to ransomware gangs. The entire chain from discovery to monetization can happen in under a week. By the time Fortinet issues a patch, the damage is often already done.

And yet, the vendor’s advisory today contains no mention of compensating controls for organizations that cannot patch immediately. No mention of free detection signatures. No mention of a dedicated 24/7 hotline for suspected compromises. The company’s cybersecurity insurance policy may cover their own losses, but it does not cover the paralysis spreading through IT departments right now.

One final, uncomfortable truth. The Fortinet zero-day exploited is not an accident. It is a predictable outcome of a software development process that prioritizes feature velocity over memory safe coding practices. FortiOS is written primarily in C and C++, languages that are notoriously prone to buffer overflow vulnerabilities. Until vendors like Fortinet embrace memory safe languages like Rust for their most critical code paths, we will keep reading these advisories with the same sinking feeling.

The clock is ticking. The exploit is live. The patch exists but is not universally deployed. And somewhere, a sysadmin is staring at an unpatched FortiGate that they forgot to update last weekend. This is the real story. Not the press release. Not the stock price. The fact that we already know exactly how this ends for some organizations, and there is nothing we can do to stop it in time.