X-Industry

Hackers Selling Firewall Access

Posted by Jim McKee on April 28, 2025 at 12:00pm

13540726296?profile=RESIZE_400xA threat actor has advertised a zero-day exploit targeting FortiGate firewall products from Fortinet on a prominent Dark Web forum.  The exploit claims to enable unauthenticated remote code execution (RCE) and full configuration access to FortiOS, allowing attackers to seize control of vulnerable devices without needing credentials.

This alarming development has raised concerns among some users about the security of Fortinet firewalls, which are widely used in enterprises and government agencies globally.[1]

The forum post observed by ThreatMon claims to have extensive capabilities, including access to sensitive configuration files extracted from compromised devices. The exploit appears to target versions of FortiOS that are vulnerable to authentication bypass flaws, a recurring problem with Fortinet products.

These files are purported to include:  

  • Local user credentials: Encrypted passwords stored.
  • Admin account details: Permissions and trust relationships documented.
  • Two-factor authentication (2FA) status: Information on FortiToken configurations.
  • Firewall policies and network configurations: Complete rule sets, NAT mappings, internal IP assets, and address groups.

Such data could allow attackers to bypass security measures, infiltrate networks, and potentially launch further attacks.

Fortinet has quickly taken steps to mitigate this issue and address the challenges that the customer might face, issuing specific advice and urging customers to update their devices to protect against further risks to their systems.

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

 

[1] https://www.cybersecurityintelligence.com/blog/hackers-claim-they-are-selling-fortigate-firewall-access-8374.html

© 2025 Red Sky Alliance Corporation. All rights reserved.

Views: 22
Tags: tr-25-117-006, firewall, darkweb, fortigate, fortios, threatmon, infiltrate networks
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!