Zero-Day Alert: Fortinet Firewalls Hijacked Through Critical Auth Bypass

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. A zero-day vulnerability in FortiOS and FortiProxy enables attackers to gain super-admin privileges, modify configurations, and perform lateral movements. Hackers are exploiting API flaws to deploy backdoors and perform cryptojacking using XMRig. A Secure Boot bypass vulnerability exposes systems to stealthy bootkits. The “Belsen Group” leaked sensitive FortiGate configurations, including VPN credentials, affecting over 15,000 devices globally. The evolved Hexalocker ransomware has been detected exfiltrating sensitive data using the Skuld Stealer and deploys advanced encryption for stronger obfuscation. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Zero-Day Alert: Fortinet Firewalls Hijacked Through Critical Auth Bypass

A critical zero-day vulnerability (CVE-2024-55591) in FortiOS and FortiProxy has been exploited to compromise Fortinet FortiGate firewalls with exposed management interfaces. This vulnerability, impacting FortiOS (7.0.0–7.0.16) and FortiProxy (7.0.0–7.0.19, 7.2.0–7.2.12), allows attackers to bypass authentication via the Node.js WebSocket module, granting super-admin privileges to create unauthorized accounts, modify configurations, and perform lateral movements. The attack progresses through phases, including vulnerability scanning, reconnaissance, and exploitation, with Indicators of Compromise (IOCs) revealing unauthorized logins, account creation, and attacker IPs.

To mitigate risks, organizations should disable HTTP/HTTPS administrative interfaces, restrict access via local-in policies for trusted IPs, and monitor logs for IOCs such as suspicious logins and malicious IPs. Immediate patching of affected systems, enforcing multi-factor authentication on admin accounts, conducting regular audits of firewall configurations, and enhancing network segmentation are vital measures. Testing incident response plans further ensures preparedness against similar future threats.

2. Hackers Exploit Aviatrix Controller Flaw for Cryptojacking and Backdoors

A critical remote command execution (RCE) vulnerability, CVE-2024-50603, in Aviatrix Controller has been exploited by threat actors to install Sliver backdoors and perform cryptojacking operations using XMRig. The flaw arises from inadequate input sanitization in API endpoints, allowing unauthenticated attackers to execute malicious OS commands. Exploitation involves crafting API requests with unsanitized parameters, enabling attackers to gain unauthorized access to cloud environments, escalate privileges, and exfiltrate data.

This vulnerability, affecting all Aviatrix Controller versions prior to 7.2.4996 or 7.1.4191, poses significant risks for enterprises. Proof-of-concept exploits have accelerated attacks, exposing cloud environments to unauthorized access, persistent backdoors, and resource hijacking. To mitigate these risks, organizations should immediately patch systems by upgrading to secure Aviatrix versions and restrict access to port 443. Enhanced monitoring for Indicators of Compromise (IoCs), such as listed IPs and malicious file paths, and regular vulnerability scans are essential. Long-term measures include hardening API input sanitization, reducing the attack surface, enabling comprehensive logging, and training teams to address cryptojacking and RCE threats effectively.

3. CVE-2024-7344: New UEFI Vulnerability Exposes Systems to Bootkit Attacks

A UEFI Secure Boot bypass vulnerability (CVE-2024-7344) has been identified in a Microsoft-signed application used by third-party system recovery tools, allowing attackers to deploy stealthy bootkits. The flaw lies in a custom PE loader, reloader.efi, which bypasses Secure Boot validation and decrypts malicious binaries from an encrypted file, cloak.dat, during the boot process. This vulnerability enables attackers to bypass Secure Boot protections, compromising systems even after OS reinstallation.

Microsoft revoked the vulnerable certificates in the January 2025 Patch Tuesday update, and affected vendors, including Howyar SysReturn, Greenware GreenGuard, and Radix SmartRecovery, have released patches. Users are urged to update systems immediately, ensuring Secure Boot certificates include the revoked keys.

To mitigate risks, enterprises should validate bootloaders, audit UEFI firmware regularly, and restrict physical access by securing BIOS/UEFI settings. Using PowerShell or Linux commands to verify the system’s protection status is critical for detecting and addressing vulnerabilities effectively.

4. Cybersecurity Alert: 15,000 FortiGate Devices Configurations and VPN Data Leaked

The hacking group “Belsen Group” leaked sensitive configurations and VPN credentials for over 15,000 FortiGate devices globally, exposing critical details like private keys, firewall rules, and plain-text credentials. Major victims are reported in the US, UK, Poland, and Belgium, affecting both governmental and private sectors. The leaked data, shared on a Tor site, enables attackers to gain unauthorized access, bypass defenses, and potentially launch prolonged attacks.

The breach exploited FortiGate vulnerabilities, such as CVE-2022-40684 and CVE-2024-55591, emphasizing FortiGate’s frequent targeting. Leaked credentials, firewall rules, and device certificates present severe risks, including secure communication compromise and targeted attacks.

Organizations must immediately update all credentials, implement multi-factor authentication, reconfigure firewall rules, and revoke exposed certificates. Comprehensive forensic analysis and intrusion detection systems are critical to identifying backdoors. Long-term strategies, including regular patching and adopting zero-trust architecture, are essential to mitigate future risks.

5. HexaLocker V2 Combining Advanced Encryption and Skuld Stealer for Impact

HexaLocker ransomware has evolved into a more sophisticated threat with its second version, incorporating advanced encryption, persistence mechanisms, and double extortion tactics. It now exfiltrates data before encryption, leveraging the Skuld Stealer to extract sensitive information such as browser credentials, cookies, and crypto wallet details. Using encryption algorithms like AES-GCM, Argon2, and ChaCha20, HexaLocker ensures strong obfuscation and resistance to decryption. The ransomware establishes persistence via registry modifications and replaces static TOXID communication with unique hash-based victim interaction.

The infection lifecycle involves deploying itself to `%appdata%`, stealing data with Skuld Stealer, encrypting files with the “.HexaLockerV2” extension, and leaving a ransom note directing victims to communicate via Signal, Telegram, or a web portal. Organizations should implement advanced threat detection tools, monitor for unusual registry changes, and block malicious domains like *hexalocker.xyz*. Regular backups, employee training, and robust endpoint protection are critical for mitigating the impact of this evolving ransomware.