•    Fortinet has identified a critical vulnerability in FortiOS and FortiProxy. The vulnerability may allow an unauthenticated remote attacker to gain “super-admin” privileges.
•    The Fortinet vulnerability notification describes possible Indicators of Compromise (IOCs) and IPs associated with the threat actor, which may assist in identifying suspicious activity.
•    Fortinet has observed active exploitation of this vulnerability.
•    Fortinet advises that threat actors have been observed performing the following post-exploitation activities: 
•    Creating an admin account on the device with a random username.
•    Creating a Local User account on the device using a random name.
•    Creating a user group or adding the above local user to an existing SSL VPN user group.
•    Adding/changing other settings (firewall policy etc.)
•    Logging in the SSL-VPN with the above-added local users to get a tunnel to the internal network.

Affected versions/applications: 

•    FortiOS version 7.0 - 7.0.0 through 7.0.16
•    FortiProxy version 7.0 - 7.0.0 through 7.0.19
•    FortiProxy version 7.2 - 7.2.0 through 7.2.

An attacker could exploit this vulnerability to take control of the affected system.

CERTVU recommends businesses, organizations, and government entities:
•    Follow Fortinet’s published advice for affected versions.
•    Upgrade to the latest FortiOS and FortiProxy versions.
•    Investigate for potential compromise of these products, leveraging the published IOCs.
•    Monitor and investigate for suspicious activity in connected environments.
Further information and details can be found in Fortinet’s vulnerability notification.