On April 2, 2021, the FBI and CISA released a joint advisory warning regarding hacking groups that are actively targeting CVE vulnerabilities in FortiOS. The hackers are said to be scanning devices on ports 4443, 8443 and 10443 for the below vulnerabilities:

  • CVE-2018-13379: An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.

  • CVE-2020-12812: An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

  • CVE-2019-5591: A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.

"It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks."

~Joint Cybersecurity Advisory

The joint advisory recommends applying patches for these three vulnerabilities immediately and also recommends that organizations should use practical measures for recovery in case they are effected. These measures include, but are not limited to:

  • Regularly backing up data

  • Implementing a recovery plan

  • Use multifactor authentication wherever available

  • Disabling unused remote access/Remote Desktop Protocol (RDP) ports

  • Monitor remote access/RDP logs

Fortinet has responded to the advisory, stating, "We continually strive to improve processes, including actively testing our code and fixing issues detected both internally and externally to deliver a more robust solution to our customers.”

You can access the full joint cybersecurity advisory here.