Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam
First published: 15 Jan 2025
Last updated: 15 Jan 2025

Content written for

Small & medium business
Large organisations & infrastructure
Government

This alert is relevant to Australian Organisations who utilise affected Fortinet products. This alert is intended to be understood by technical users.

Customers are encouraged to upgrade to the latest version of FortiOS and FortiProxy and apply the mitigations, as detailed in the Fortinet notification.

Background / What has happened?

  • Fortinet has identified a critical vulnerability in FortiOS and FortiProxy. The vulnerability may allow an unauthenticated remote attacker to gain “super-admin” privileges.
  • The Fortinet vulnerability notification describes possible Indicators of Compromise (IOCs) and IPs associated the threat actor, which may assist in identifying suspicious activity.
  • Fortinet has observed active exploitation of this vulnerability.
  • Fortinet advises that threat actors have been observed performing the following post exploitation activities:
  • Creating an admin account on the device with a random user name.
    • Creating a Local User account on the device using a random name.
    • Creating a user group or adding the above local user to an existing sslvpn user group.
    • Adding/changing other settings (firewall policy etc.)
    • Logging in the sslvpn with the above-added local users to get a tunnel to the internal network.
  • Affected versions/applications:
    • FortiOS version 7.0 - 7.0.0 through 7.0.16
    • FortiProxy version 7.0 - 7.0.0 through 7.0.19
    • FortiProxy version 7.2 - 7.2.0 through 7.2.12

Mitigation / How do I stay secure?

The ASD’s ACSC recommends businesses, organisations and government entities:

  • Follow Fortinet’s published advice for affected versions.
  • Upgrade to the latest FortiOS and FortiProxy versions.
  • Investigate for potential compromise of these products, leveraging the published IOCs.
  • Monitor and investigate for suspicious activity in connected environments.

Further information and details can be found in Fortinet’s vulnerability notification.

Assistance / Where can I go for help?

Organisations that have been impacted, suspect impact or require advice and assistance can contact us via 1300 CYBER1 (1300 292 371) or asd.assist@defence.gov.au

Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it