Following a joint cybersecurity advisory warning of potential vulnerabilities in Fortinet’s cybersecurity operating system from the Federal Bureau of Investigation (FBI) and the Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA), the company is urging customers to update their software to include the latest patches.
Fortinet said the common vulnerabilities and exploits (CVEs) mentioned in the cyber advisory – CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812 – have been patched in prior upgrades in May 2019, July 2019, and July 2020.
“The security of our customers is our first priority,” a Fortinet spokesperson told MeriTalk. “Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019 and July 2020 strongly recommending an upgrade. Upon resolution, we have consistently communicated with customers, as recently as late as 2020. … If customers have not done so, we urge them to immediately implement the upgrade and mitigations.”
The advisory warned that advanced persistent threat actors were exploiting these CVEs to gain access to FortiOS, Fortinet’s cybersecurity platform, to “gain access to multiple government, commercial, and technology services networks.”
Fortinet said this shows that there are still devices that have not updated to the latest patches, and pointed to three previously released advisories with mitigation recommendations. Fortinet also said it will move to a “Monthly Patch Tuesday” model and add a notification service for customers.
“Despite these ongoing communications efforts and process changes, the joint advisory from FBI and CISA … provides evidence that there are still unpatched devices in the wild being abused and highlights the risk of end users not proactively updating appliances,” Fortinet said in a blog post.