Skip to main content

Fortinet FortiOS flaws actively exploited in the wild

(Image credit: Shutterstock / Golden Sikorka)

FortiOS, an operating system built by enterprise security provider Fortinet, has a number of high-severity flaws that are currently being exploited in the wild, US government agencies are saying.

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint warning, explaining that three different vulnerabilities (CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591) are being abused by hackers. FortiOS versions 5.4 through 6.4 are said to be affected by the bugs.

All three are classified as high severity and each has now been patched by the vendor. The problem is that not all IT teams have applied the necessary fixes, opening their networks up to attack.

CVE-2018-13379 allows attackers to download system files from the target machine, CVE-2020-12812 lets the attacker to log into the device without the need for authentication, while CVE-2019-5591 enables the interception of sensitive data in traffic, by impersonating an LDAP server.

The two US government agencies claim criminals are actively scanning for systems that are yet to apply the patches, and are particularly interested in government and commercial entities. 

"The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks," the advisory reads. 

"APT actors may use other CVEs or common exploitation techniques - such as spear-phishing - to gain access to critical infrastructure networks to pre-position for follow-on attacks."

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.