A new and alarming development is shaking up the cybersecurity landscape: a malicious actor has advertised on the dark weba highly sophisticated exploit aimed at compromising FortiGate devices.
A new exploit priced at $12,000 for FortiGate firewalls has appeared for sale on the popular underground forum Exploit. The post, published by a user with the pseudonym Anon-WMG, presents a tool capable of massively compromising Fortinet devices by exploiting exposed APIs.
Technical features of the exploit
Called “FortiGate API Dump Exploit (~7.2 and below)”, the tool is capable of interacting with over 170 FortiGate API endpoints, with declared compatibility for versions 6.x and 5.x, and also tested on 7.2.6 and earlier. Features include:
Automatic dump from 170+ Fortinet API endpoints
Extraction of sensitive information: firewall configurations, local VPN users, SSL portals, backups, SNMP keys, DNS, HA and NTP parameters
Multithreading support (over 20 threads) for fast and massive scans
Output in JSON format and configuration file structured
Stealth headers and dedicated reporting module (“Report Runner”)
The tool targets:
FortiGate firewall with exposed API (default ports: 443 and 10443)
The author claims that the exploit is capable of compromising:
Internal and administrative network credentials (including hashes and encrypted passwords)
Active SAML/RADIUS/LDAP tokens
VPN tokens and IPsec session IDs
Complete device configuration backups
Impact and prevalence and selling price
The implications are serious and include:
Internal network access and lateral movement
Theft of configurations, backups and credentials
Compromising VPN communications in progress
Possibility of escalation through legitimate user tokens
The tool has been tested on numerous versions of FortiOS: v6.0.9, 6.2.5, 7.0.4, 7.2.1, 7.2.6, 6.2.x and others.
Asking price: $12,000
Payment in cryptocurrency
Negotiation via escrow to guarantee (at least formally) the transaction
Provided some samples via temporary link on “send.exploit.in”
The author warns to contact him only in case of real intention to purchase
Countermeasures and recommendations
Organizations using FortiGate should take immediate action, especially if:
APIs are exposed directly to the Internet
Devices are running outdated firmware versions
VPN/SSL portals are not configured correctly
Operational Recommendations:
Perform an immediate audit of exposed interfaces
Update all devices to the latest supported FortiOS version
Restrict API access to internal or authorized IP addresses only
Enable API logs to detect suspicious activity
Revoke and regenerate active VPN tokens, verifying the integrity of configurations
Conclusions
The availability of an automated exploit like this on the underground market highlights once again how critical it is to even partially expose inadequately protected management interfaces. In this case, unauthenticated access to FortiGate APIs can lead to the complete compromise of a network.
Redazione The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.
Redazione