Dear all,

Fortinet has identified a critical vulnerability in FortiOS and FortiProxy. The vulnerability may allow an unauthenticated remote attacker to gain “super-admin” privileges.

The Fortinet vulnerability notification describes possible Indicators of Compromise (IOCs) and IPs associated the threat actor, which may assist in identifying suspicious activity.

Fortinet has observed active exploitation of this vulnerability.
Fortinet advises that threat actors have been observed performing the following post exploitation activities:
Creating an admin account on the device with a random user name.
Creating a Local User account on the device using a random name.
Creating a user group or adding the above local user to an existing sslvpn user group.
Adding/changing other settings (firewall policy etc.)
Logging in the sslvpn with the above-added local users to get a tunnel to the internal network.

Affected versions/applications:

FortiOS version 7.0 - 7.0.0 through 7.0.16
FortiProxy version 7.0 - 7.0.0 through 7.0.19
FortiProxy version 7.2 - 7.2.0 through 7.2.12

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/fortios-fortiproxy-authenti...

https://www.fortiguard.com/psirt/FG-IR-24-535