Suspected Fortinet zero-day exploited in the wild www.pwndefend.com/2025/11/1…
This weeks been an interesting one, I’ve been doing quite a bit of research recently with my friend Simo from Defused defusedcyber.com. Simo has built a new emulated honeypot platform, and anyone that know’s me knows I love honeypots, deception and intel sharing to help defenders and to impose cost on the baddies! (technical terms here ok!)
So what’s the deal? Right so going back a bit, in October a payload was noticed against Fortinet firewall devices. Turns out this may be a zero pay path traversal vulnerability (shocked, a vulnerability in this is unheard of /S).
So this is already public and already being sprayed over the internet, there’s always a concern here when we think about how much intel to share/publish etc. So I’m not going to write the full details but I will give enough to help with detection logic (someone else is free to do more, that’s their own choice!).
This payload appears to create a local ‘admin’ level user account on the target device. I’ve not got a Fortinet firewall running so I’ve not been able to confirm the effect works myself. This is however looking like enough to the point, I believe the vendor has been notified and it looks ‘exploity’ enough for me to even consider writing about this, 0day or not this is being sprayed, we can see this in logs. The key thing as always is to not panic, if you have a Fortinet with an exposed management interface (WHY?) then I would suggest taking some time to go and investigate.
