In a joint alert issued on April 2nd, the FBI and CISA warned that threat actors are actively scanning for Fortinet devices running vulnerable versions of FortiOS. FortiOS, in the past, has seen three (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591) significant vulnerabilities and all are being exploited currently. While it is currently not known who is performing the active scans, it is well known that APT groups have opportunistically taken advantage of these kinds of vulnerabilities to gain a foothold in many environments. Fortinet is strongly recommending that if clients are still using out-of-date devices, that they patch immediately.
Analyst Notes
With the history the three vulnerabilities have had in the past, patching vulnerable devices is urgent, especially as active exploitation is ongoing. Ensuring that logs are being shipped from FortiOS devices and actively monitored can help mitigate the risk. Fortinet has also provided guidance on how to patch or mitigate some of these vulnerabilities in the blog and knowledgebase article linked below.
References:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD49410
https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2018-13379
https://www.zdnet.com/article/fbi-cisa-warn-of-active-exploit-of-fortinet-fortios-vulnerabilities/
