Hackers are actively abusing this security suite to execute attacks

News
By
published

Patches for critical Fortinet vulnerabilities have been available for several years now

Lock
(Image credit: Shutterstock)

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have warned that threat actors were likely exploiting critical vulnerabilities in the Fortinet FortiOS VPN to plant backdoors in a bid to return and steal data or conduct ransomware campaigns.

Fortinet FortiOS is the operating system that powers the company's gamut of security offerings.

“The FBI and CISA believe the APT [advanced persistent threat ] actors are likely exploiting these Fortinet FortiOS vulnerabilities to gain access to multiple government, commercial, and technology services networks,” warns the joint advisory.

TechRadar needs you!

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window<<

Patch immediately

The agencies specifically point to three vulnerabilities, tracked as CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. The agencies say the hackers could exploit any or all of these vulnerabilities to gain access to secure networks.

Fortinet has already issued patches to mitigate the threats arising from all of these vulnerabilities. The agencies warn that cyberattackers are actively scanning the Internet looking for systems that have not yet applied the patches to plug the vulnerabilities.

Two of the three already-patched vulnerabilities listed in the advisory, CVE-2018-13379 and CVE-2020-12812, are particularly severe because they can be exploited by unauthenticated users to steal authentication credentials and connect to vulnerable VPNs.

In their bid to get Fortinet users to act, the agencies also give a rundown of the type of attacks that can be conducted using the vulnerabilities. 

“APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns,” note the agencies.

In an emailed statement, Fortinet urged its customers who haven’t applied the patches as yet to do so immediately. 

Via: ZDNet

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
vpn
Ivanti warns another critical security flaw is being attacked
The best free firewall
Palo Alto warns another major firewall hack has been detected
Digital image of a lock.
Fortinet flags some worrying security bugs coming back from the dead
An illustration of a hand holding a set of keys in front of a laptop, accompanied by a padlock symbol, fingerprint, and key.
Thousands of SonicWall VPN devices are facing worrying security threats
Latest in Security
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in News
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
Bang &amp; Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Apple Watch Series 10
Apple unveils new Apple Watch bands – here's what's in the Spring 2025 collection
More about security
A graphic showing fleet tracking locations over a city.

Lost & Found tracking site hit by major data breach - over 800,000 could be affected
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

Microsoft Teams and other Windows tools hijacked to hack corporate networks
An AI-generated image of the colosseum with slides coming out of it.

AI slop is taking over the internet and I've had enough of it
See more latest
Most Popular
A collage of Daredevil in Daredevil: Born Again and Tom Holland&#039;s Peter Parker in Spider-Man: Far From Home
Daredevil: Born Again episode 2 just gave me hope that the titular hero will join forces with Spider-Man in the MCU, but it won't happen on Disney+
Circular Ring 2
The Circular Ring 2 solves a crucial smart ring problem, and it's available to pre-order now
HTC Viverse
The company formerly known as HTC is doubling down on immersive worlds, AI, spatial computing and ... 6G?
A business woman looking at AI on a transparent screen
Businesses are facing an "AI Divide" - which could be the difference between success and failure
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Apple Vision Pro with Dassault Systèmes 3DEXPERIENCE platform
Dassault Systèmes teams up with Apple to use Vision Pro headsets to bring spatial CAD to life
Samsung 18.1-inch foldable OLED monitor
Samsung has launched a flexible portable monitor complete with a briefcase, one that seems to come straight from a James Bond movie
GenMachine Zhi mini pc
This is the smallest AMD PC I've ever seen: mysterious manufacturer uses Ryzen 3 APU with surprising results
Beelink ME Mini
One of our favorite mini PC vendors has launched a NAS that looks a bit like Apple's PowerMac G4 Cube PC - but way smaller
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes