China’s state-sponsored cyber operations—aptly nicknamed with “Typhoon” monikers—have been brewing trouble for over a decade. From Violet to Salt Typhoon, these advanced persistent threat (APT) groups have been wreaking havoc on government entities, critical infrastructure, and other high-value targets. Their evolution highlights one thing loud and clear: attackers are always one step ahead, looking for the weakest link.

But fear not—there’s a way to outpace these storms. Let’s break down what these Typhoons have been up to and how runZero brings calm to the chaos with unparalleled visibility and proactive defense.

The Typhoon Timeline: An Evolution of Threats

The Typhoon story began with Violet Typhoon, which stuck to the basics: phishing, exploiting known vulnerabilities, and going after traditional IT systems. They were your typical “steal the sensitive data and run” kind of crew.

Then came Volt Typhoon, which shifted focus to U.S. critical infrastructure. They embraced “living off the land” techniques, cleverly blending into hybrid IT and OT environments while avoiding detection. Think of them as the first innovators of the Typhoons.

Not to be outdone, Flax Typhoon targeted IoT devices like cameras and DVRs, transforming these “unimportant” devices into powerful botnets. It was a wake-up call for organizations ignoring their IoT inventory.

And now, Salt Typhoon has arrived, skillfully exploiting IT, OT, and IoT systems with alarming precision. Their primary focus? Telecommunications providers and ISPs, where they leverage trusted devices and connections to steal customer call records, compromise private communications—particularly those of individuals involved in government or political activities—and access sensitive information tied to U.S. law enforcement requests under court orders.

Why Visibility is the Game-Changer

The Typhoon saga reveals one critical truth: attackers will find the blind spots in your network. Whether it’s a forgotten IoT device, an outdated VPN concentrator, or a misconfigured firewall, these gaps become open doors for adversaries.

That’s why visibility—complete visibility—is key to staying ahead. Enter runZero.

How runZero Helps You Outmaneuver Salt Typhoon

Salt Typhoon thrives on exploiting edge devices and blending into your network. But runZero makes their job infinitely harder. Here’s how we give you the upper hand:

• Proactive Edge Discovery: With real-time scanning and unmatched fingerprinting capabilities, runZero identifies every device—routers, firewalls, switches—before attackers can. Firmware versions? Check. Misconfigurations? Double-check.
• Mapping Internal Pathways: Once inside, attackers aim to move laterally. runZero lights up internal pathways, exposing high-risk devices and connections that could serve as stepping stones for adversaries.
• Correlating Internal and External Risks: Unlike siloed tools, runZero connects the dots between internal and external assets, revealing shared vulnerabilities and dependencies. That’s insight no other platform offers.
• Risk-Based Prioritization: runZero doesn’t just throw vulnerabilities at you. It ranks them by exploitability, exposure pathways, and criticality, so you can tackle the most pressing issues first.
• Continuous Monitoring: Networks change constantly, and so do risks. With runZero’s continuous discovery, you’ll always have an up-to-date picture of your attack surface.

Actionable Insights for Real-World Defense

Need proof of what runZero can do? Let’s take CISA’s latest guidance tailored to counter Salt Typhoon’s tactics and the queries you can use in the runZero platform to identify assets at risk.

Strengthening Visibility: Monitoring: Network Engineers

If feasible, limit exposure of management traffic to the Internet. Only allow management via a limited and enforced network path, ideally only directly from dedicated administrative workstations. Do not manage devices from the internet. Only allow device management from trusted devices on trusted networks.

# Service Query
(type:router OR type:switch OR type:firewall) AND (port:80 OR port:443) AND has_public:true

Monitor user and service account logins for anomalies that could indicate potential malicious activity. Validate all accounts and disable inactive accounts to reduce the attack surface. Monitor logins occurring internally and externally from the management environment.

# Users Query
alive:t AND (
  isDisabled:true
OR
  (source:googleworkspace suspended:t)
OR
  (source:googleworkspace isEnforcedIn2Sv:f)
OR
  (has:accountExpiresTS)
OR
  (isDisabled:true)
OR
  (passwordExpired:true OR msDS-UserPasswordExpiryTimeComputedTS:<now))

Ensure the inventory of devices and firmware in the environment are up to date to enable effective visibility and monitoring. runZero can track and incorporate end-of-life data from a variety of sources.

# Asset Query
os_eol_expired:t

Monitoring: Network Engineers

Closely monitor all devices that accept external connections from outside the corporate network

# Asset Query
has_public:t

IPsec tunnel usage

# Service Query
protocol:ike

Hardening Systems & Devices: Protocols and Management Processes: Network Engineers

Additionally, as a general strategy, put devices with similar purposes in the same VLAN. For example, place all user workstations from a certain team in one VLAN, while putting another team with different functions in a separate VLAN. runZero’s innovative outlier score can help locate devices that don’t look like others in the same site.

# Asset Query
outlier:>=2

if using Simple Network Management Protocol (SNMP), ensure only SNMP v3 with encryption and authentication is used

# Service Query
protocol:snmp1 or protocol:snmp2 or protocol:snmp2c

Disable all unnecessary discovery protocols, such as Cisco Discovery Protocol (CDP).

# Service Query
protocol:cdp

Ensure Transport Layer Security (TLS) v1.3 is used on any TLS-capable protocols to secure data in transit over a network.

# Service Query
tls.supportedVersionNames:"SSL" OR tls.supportedVersionNames:"TLSv1.0" OR tls.supportedVersionNames:"TLSv1.1" OR tls.supportedVersionNames:"TLSv1.2"

Disable Secure Shell (SSH) version 1.

# Service Query
banner:"SSH-1"

Hardening Systems & Devices: Protocols and Management Processes: Network Defenders

Disable any unnecessary, unused, exploitable, or plaintext services and protocols, such as Telnet, File Transfer Protocol (FTP), Trivial FTP (TFTP), SSH v1, Hypertext Transfer Protocol (HTTP) servers, and SNMP v1/v2c

# Service Query
protocol:telnet OR protocol:ftp OR protocol:tftp OR banner:"SSH-1" OR (protocol:http AND NOT protocol:tls) OR protocol:snmp1 OR protocol:snmp2 OR protocol:snmp2c

Conduct port-scanning and scanning of known internet-facing infrastructure

# Service Query
has_public:t

The Final Word

The Typhoon threat is real, but with runZero, you don’t have to weather the storm alone. Whether you’re facing state-sponsored attackers like Salt Typhoon or just trying to get a handle on your sprawling network, runZero does more than uncover what’s hiding in your network—we redefine what’s possible in exposure management. Our agentless, credential-free approach means you get instant insights without the hassle. And our advanced fingerprinting technology? It’s second to none, giving you detailed device profiles that competitors can only dream of.

But it’s not just about tech; it’s about speed and adaptability. As networks grow more complex and threats more advanced, runZero ensures you’re always one step ahead of these Typhoons no matter how their tactics evolve. From shadow IT to unmanaged IoT, we uncover everything—because the very things you didn’t know existed are exactly what these attackers are looking for.

Uncover the unmanaged and unknown to meet hidden risk requirements

With the Digital Operational Resilience Act (DORA) set to take effect on January 17th, 2025, financial institutions across the European Union must prepare to meet stringent regulatory requirements. At its core, DORA mandates resilience in Information and Communication Technology (ICT) systems, covering five primary pillars:

1. ICT risk management

2. Incident reporting

3. Resilience testing

4. Third-party risk management

5. Information sharing

While these pillars seem straightforward, the implementation has a hidden complexity in meeting standards: unmanaged and unknown assets. These devices—ranging from decentralized IT assets to unconventional (but highly-interconnected ) IoT and OT devices—are notoriously hard to identify and secure.

Why are these unmanaged and unknown devices such a critical focus of DORA? The answer lies in their profound impact on the regulatory pillars. These assets, often hidden in the shadows of your environment, don’t just represent gaps in visibility—they create vulnerabilities that ripple through every aspect of operational resilience.

Consider this: over 60% of connected devices are invisible to defenders, and unmanaged assets were linked to 7 out of 10 breaches last year. To truly grasp the gravity of this problem, let’s explore how these blind spots hinder compliance across DORA’s relevant pillars—and what it takes to close those gaps effectively.

To truly meet DORA’s requirements, you need complete visibility into your environment. Unmanaged and unknown assets are like puzzle pieces left out of the box; they make it impossible to see the full picture. Discovery and management of all your assets are the true foundation of compliance and resilience. Relying solely on traditional discovery and vulnerability management tools often leaves critical gaps, potentially putting you at risk of non-compliance—or worse, exposing your organization to security threats.

That’s where runZero comes in. Unlike traditional tools, runZero uncovers the unmanaged, unknown, and shadow IT assets that others miss using novel discovery and scanning techniques. In fact, enterprises on average find 25% more assets with runZero than they were previously aware of. Our objective is to provide you with unparalleled visibility across IT, OT, IoT, including those assets that aren’t actively managed. By layering in-depth fingerprinting data and detailed insights into vulnerabilities and exposures, runZero helps you to close those gaps, meet DORA’s requirements with confidence, and build a stronger, more resilient ICT environment.

The high-level overview of how runZero aligns with DORA’s pillars demonstrates its powerful capabilities. However, to truly appreciate its impact, let’s explore how runZero directly maps to specific DORA articles, such as Articles 6, 7, 8, and 9. These articles outline the actionable steps required for ICT risk management, resilience, and collaboration. The section below also illustrates how runZero goes beyond compliance to deliver operational excellence.

Article 6: ICT risk management framework

What DORA requires:

• Develop a framework to identify, assess, and mitigate ICT risks.

• Address risks tied to internal systems, third-party services, and external threats.

Key challenges:

• ICT risk management frameworks often rely on incomplete inventories.

• Without identification of all assets and understanding device interdependencies, assessing impact and mitigation strategies is guesswork.

How runZero helps:

runZero supports the creation and maintenance of ICT risk management frameworks by delivering advanced asset discovery, continuous monitoring of IT, OT, IoT, and unmanaged devices, and identifying vulnerabilities and security control gaps.

1. Complete asset discovery:

   • Identifies all IT, OT, IoT, and unmanaged devices using active scanning, passive scanning, and integrations.

   • Incorporates external scanning to identify assets and monitor risks on the edge, ensuring comprehensive visibility across both internal and external attack surfaces.

   • Accurately and precisely fingerprints assets providing deeper insights for more accurate risk assessment and mitigations.

   • Detects shadow IT and rogue devices not visible to traditional tools.

2. Risk interdependency mapping:

   • Maps relationships between assets, revealing critical dependencies.

   • Identifies single points of failure, such as connections between essential systems and vulnerable third-party services.

3. Risk monitoring:

   • Identifies issues beyond CVEs, such as misconfigurations, segmentation weaknesses, insecure services, EoL, policy violations, etc.

   • Monitors for emerging risks and zero-day vulnerabilities through the Rapid Response Program, enabling swift identification of vulnerable assets without the need for rescanning.

   • Tracks changes in device configurations and interdependencies.

   • Uses safe scanning to identify fragile devices without the risk of disrupting operations.

   • Alerts on deviations, such as newly connected devices or unexpected configuration changes, that introduce new risks.

4. Enriched risk context:

   • Integrates with a broad range of existing security solutions in your stack to provide enriched asset data, improving risk analysis and prioritization.

Outcome:
runZero ensures that your ICT risk management framework is underpinned by a complete and up-to-date view of all assets, enabling precise risk assessment, mitigation, and operational resilience.

Article 7: ICT systems, protocols, and tools

What DORA requires:

• Implement secure ICT systems and tools designed to safeguard the organization’s digital infrastructure from unauthorized access and cyber threats.

• Maintain a complete and continuously updated inventory of ICT assets.

• Conduct regular resilience testing through vulnerability assessments and security audits.

Key challenges:

• Legacy discovery tools fail to capture non-traditional protocols or devices outside standard IT ecosystems.

• Inventory updates are often manual, leading to outdated or incomplete data.

• Testing often overlooks unmanaged or obscure devices, leaving blind spots.

How runZero helps:

With runZero, you gain visibility into your IT, OT, and IoT assets, ensuring every device in your environment is tracked and accounted for. This gives you the deep insight needed to uncover vulnerabilities, misconfigurations, and insecure protocols while mapping interdependencies to reveal hidden security gaps. By spotlighting all assets and exposures, runZero helps you ensure nothing is overlooked, empowering you to make more accurate assessments and build stronger defenses.

1. Complete, up-to-date inventory management:

   • Provides comprehensive visibility into both internal and external assets, including IT, OT, and IoT devices to ensure all systems are tracked.

   • Regularly updates asset data through continuous monitoring, maintaining up-to-date visibility into the network’s infrastructure.

   • Discovers unknown and unmanaged devices that may not have been previously tracked, ensuring that all assets are accounted for.

   • Updates inventories continuously through automated scanning, ensuring accuracy.

2. Informs security of ICT systems, protocols, and tools:

   • Identifies CVEs and non-traditional vulnerabilities, such as insecure services and segmentation weaknesses, that compromise infrastructure.

   • Continuously monitors for new or unexpected devices, ensuring prompt response to unauthorized access attempts.

   • Detects outdated or misconfigured protocols like SMBv1, Telnet, or unencrypted HTTP.

   • Maps interdependencies between systems, helping organizations understand how internal and external assets interact including gaps or deficiencies in security controls and segmentation weaknesses

3. Resilience testing optimization:

   • Ensures that all assets, including hidden and rogue devices, are included in vulnerability assessments and threat-based testing procedures.

   • Supports more accurate threat assessments by continuously updating data on internal and external attack surfaces, even as they change.

   • Provides detailed context for each device, such as OS versions, open ports, and known vulnerabilities (CVEs), to prioritize testing efforts.

4. Third-party tool integration:

   • Integrates with vulnerability management and endpoint security tools to enhance testing scopes and ensure no assets are missed.

Outcome
runZero delivers detailed asset visibility, empowering your teams to secure ICT systems and conduct comprehensive resilience testing with confidence.

Article 8: Identification of critical assets

What DORA requires:

• Identify and prioritize critical ICT assets and services.

• Map interdependencies between systems to understand potential cascading failures.

• Continuously monitor critical assets for emerging risks.

Key challenges:

• Identifying critical assets isn’t just about visibility; it requires understanding each device’s function, connectivity, and risk profile.

• Interdependency mapping is complex, particularly when third-party services or legacy systems are involved.

• Monitoring is often siloed, missing broader network impacts.

How runZero helps:

runZero gives you full visibility into your critical IT, OT, and IoT assets, maps out how they’re connected, and spots risks like vulnerabilities or misconfigurations. By continuously keeping an eye on everything, it helps you stay ahead of threats and keep your most important systems secure.

1. Critical asset discovery:

   • Identifies critical devices and services through advanced fingerprinting techniques.

   • Highlights assets critical to business operations based on their roles and interdependencies.

2. Comprehensive risk mapping:

   • Maps interdependencies across IT, OT, IoT, and third-party systems.

   • Visualizes network connections and highlights cascading risks from single points of failure.

   • Combines detailed internal fingerprinting with external data sources to uncover hidden risks such as shared cryptographic keys, cloned assets, and overlooked misconfigurations that EASM tools miss.

   • Highlights network segmentation issues.

3. Risk prioritization:

   • Assesses vulnerabilities in critical systems, including software versions, configuration issues, and exposure levels.

   • Monitors for emerging risks and zero-day vulnerabilities through the Rapid Response Program, enabling swift identification of vulnerable assets and timely remediation.

   • Assesses and prioritizes externally facing assets as critical, highlighting high-risk targets with vulnerabilities or misconfigurations that could expose the organization to external threats.

   • Flags critical assets with high-risk vulnerabilities or misconfigurations.

4. Continuous monitoring:

   • Tracks changes in critical systems, such as new software vulnerabilities or configuration deviations.

   • Monitors for emerging threats, such as exploits targeting specific device types.

Outcome:
runZero provides a detailed, dynamic understanding of critical assets, their risks, and their interdependencies, enabling your team to make more informed decision-making and proactive risk mitigation.

Article 9: Protection & prevention

What DORA requires:

• Regularly update software and apply security patches.

• Address vulnerabilities promptly to minimize risks across systems.

Key challenges:

• Legacy systems and IoT devices often have unique patching challenges, such as vendor-specific firmware updates.

• Traditional vulnerability management tools struggle to identify end-of-life (EOL) systems or devices with no official CVEs.

How runZero helps:

With runZero, you get actionable insights to identify vulnerabilities, enforce security policies, monitor patch status, and stay ahead of emerging risks—ensuring your protection and prevention measures, from IT to IoT, are secure and compliant.

1. Vulnerability identification:

   • Monitors for emerging risks and zero-day vulnerabilities through the Rapid Response Program, enabling swift identification of vulnerable assets without the need for rescanning.

   • Detects outdated software and unpatched systems across all device types, including OT and IoT.

   • Highlights vulnerabilities in non-traditional assets, such as smart cameras or building management systems.

2. Policy enforcement:

   • Flags misconfigurations, insecure protocols, and policy violations on a continuous basis.

   • Identifies segmentation weaknesses that expose critical systems to lateral movement attacks.

3. Patch monitoring:

   • Tracks patch status for all devices, ensuring critical systems are prioritized.

   • Identifies EOL systems, providing actionable recommendations for replacements or compensating controls.

4. Time-sensitive risk updates:

   • Monitors the external attack surface for vulnerabilities in known or unknown assets exposed on the network edge, ensuring timely detection and mitigation of risks.

   • Continuously monitors for new vulnerabilities or exploits targeting devices in your environment.

   • Alerts on deviations from secure configurations, such as weakened encryption protocols.

Outcome:
runZero empowers your team to proactively manage patching and configuration efforts, ensuring no vulnerabilities are left unchecked—even in unconventional or legacy systems.

runZero: Your Partner in DORA Compliance

Compliance with DORA is a monumental challenge that requires comprehensive asset visibility and continuous exposure management. runZero’s capabilities go beyond traditional solutions, offering financial institutions a unified solution to:

• Discover all assets, including IT, OT, IoT, and unmanaged devices.

• Monitor continuously for new vulnerabilities, changes, and risks across your completed attack surface..

• Provide detailed data to enrich security and compliance workflows.

With runZero, you can bridge the gaps that traditional tools leave behind, ensuring not just compliance, but true resilience against today’s evolving cyber threats.

Latest vCenter vulnerabilities

Broadcom has issued a security advisory for VMware vCenter that indicates that one of the two vulnerabilities disclosed on the 17th of September, 2024,  CVE-2024-38812, which was fully patched by October 21, is under active exploitation in the wild.

This vulnerability has a CVSS score of 9.8, which is considered highly critical.

What is the impact?

An attacker with remote access to a vulnerable system could send specially crafted requests that could trigger a heap-overflow and result in remote code execution or privilege escalation into root.

Are updates or workarounds available?

Broadcom has issued patches to resolve both vulnerabilities. Reference the Response Matrix section of the advisory for the appropriate fixed version to apply in your environment.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

product:vCenter

CVE-2024-38812 and CVE-2024-33813 (September 2024)

Broadcom has issued a security advisory for two vulnerabilities that affect VMware vCenter, which exists in both VMware vSphere and VMware Cloud Foundation products.

• CVE-2024-38812 is rated critical with CVSS score of 9.8, and potentially allows for remote code execution.

• CVE-2024-38813 is rated high with CVSS score of 7.5, which can result in privilege escalation into root.

What is the impact?

An attacker with remote access to a vulnerable system could send specially crafted requests that could trigger a heap-overflow and result in remote code execution or privilege escalation into root.

Are updates or workarounds available?

Broadcom has issued patches to resolve both vulnerabilities. Reference the Response Matrix section of the advisory for the appropriate fixed version to apply in your environment.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

product:vCenter

Latest Fortinet vulnerabilities 

Fortinet has issued advisories for its FortiAnalyzer, FortiAnalyzer-BigData, FortiManager, and FortiOS products.

• CVE-2023-50176 detailed in FG-IR-23-475 is rated high with a CVSS score of 7.1, and may allow an unauthenticated attacker to hijack a user session.
• CVE-2024-23666 detailed in FG-IR-23-396 is rated high with a CVSS score of 7.1 and may allow an authenticated, read-only user the ability to execute “sensitive operations”.

What is the impact?

CVE-2024-23666, which affects FortiAnalyzer and FortiManager products, requires that an attacker (or malicious user) is authenticated against the system. A read-only user can potentially execute sensitive operations through crafted requests, bypassing client-side enforcement through the web interface. CVE-2023-50176, which affects the SSLVPN component of FortiOS, is a session fixation vulnerability that allows an unauthenticated attacker the ability to hijack an authenticated user’s session via a “phishing SAML authentication link”.

Are updates or workarounds available?

The vendor has released patches for all affected products. They recommend following the upgrade path using their upgrade tool.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:FortiManager OR hw:FortiAnalyzer OR os:FortiOS

March 2024

On March 12th, 2024, Fortinet disclosed several vulnerabilities in their FortiOS, FortiProxy, and FortiClient products:

• FG-IR-23-328 – a buffer overflow vulnerability in the handling of form-based authentication in the FortiOS and FortiProxy captive portals, allowing remote, unauthenticated attackers to execute arbitrary code. This vulnerability has been assigned CVEs CVE-2023-42789 and CVE-2023-42790. These vulnerabilities have a CVSS score of 9.3, indicating that they are critical.

• FG-IR-24-007 – a SQL injection vulnerability in the FortiClient Enterprise Management Server. This vulnerability has been designated CVE-2023-48788, and has been given a CVSS score of 9.8 (critical).

• FG-IR-23-390 – a log injection vulnerability in the FortiClient Enterprise Management Server. This vulnerability has been assigned CVE-2023-47534 and a CVSS score of 7.7 (high).

• FG-IR-23-103 – a remote code execution vulnerability in the FortiManager product. This vulnerability has been designated CVE-2023-36554 with a CVSS score of 7.7 (high). Note that the vulnerable subsystem is not installed by default.

• FG-IR-23-013 – an information disclosure vulnerability in the FortiGuard SSL-VPN product. This vulnerability has been designated CVE-2024-23112 and given a CVSS score of 7.2 (high).

How to find FortiOS, FortiProxy or FortiClient operating systems

From the Asset Inventory, use the following query to locate assets running the FortiOS or FortiProxy operating systems, which may be vulnerable:

os:"FortiOS" OR os:"FortiProxy"

Additionally, from the Services Inventory, use the following query to locate potentially vulnerable systems:

html.title:="FortiClient Endpoint Management Server"

CVE-2024-21762 (February 2024)

On February 8th, 2024, Fortinet disclosed a serious vulnerability in their FortiOS operating system, used by multiple Fortinet products.

The issue, CVE-2024-21762, allowed attackers to execute arbitrary code on vulnerable devices. The vendor has indicated that this is a critical vulnerability. The vendor reports that there are indications that this vulnerability may be actively exploited in the wild. Upon successful exploitation of these vulnerabilities, attackers could execute arbitrary code on the vulnerable system.

Fortinet released an update to mitigate this issue and all users were urged to update immediately. Additionally, the vendor indicated that disabling the SSL-VPN functionality of the device would mitigate the issue.

How to find FortiOS devices

From the Asset Inventory, use the following query to locate assets running the FortiOS operating system which may potentially be vulnerable:

os:"FortiOS" AND tcp:443

CVE-2022-40684 (October 2022)

News surfaced in October 2022 of a critical authentication bypass vulnerability present in the web administration interface of some Fortinet products. Successful exploitation of this vulnerability (tracked as CVE-2022-40684) via crafted HTTP and HTTPS requests could provide remote attackers with admin-level command execution on vulnerable FortiOS devices including FortiGate firewalls, FortiProxy web proxies, and FortiSwitchManager assets.

With a CVSS critical score of 9.6, attackers running admin-level commands on compromised assets may have had the ability to persist presence, explore connected internal networks, and exfiltrate data. At the time Fortinet was aware of at least one exploit of this vulnerability in the wild, and Bleeping Computer offered a Shodan search showing more than 140k publicly accessible FortiGate devices potentially running vulnerable FortiOS. Additionally, security researchers with Horizon3.ai planned on publishing an exploit PoC. For admins wanting to check if a FortiOS/FortiProxy/FortiSwitchManager asset had been exploited, Fortinet provides an indicator of compromise (see the “Exploitation Status” section).

Fortinet called out the vulnerable FortiOS, FortiProxy, and FortiSwitchManager versions in their advisory and had made updates available for affected products. Admins were advised to ensure that affected models were updated to the latest version as soon as possible. If updates could not be completed in the near term, Fortinet provided some mitigation steps (see the “Workaround” section) that could be taken to secure vulnerable assets.

How to find FortiOS, FortiProxy, and FortiSwitchManager assets

From the Asset Inventory, runZero users entered the following pre-built query to locate FortiOS, FortiProxy, and FortiSwitchManager assets:

os:FortiOS or product:FortiProxy or product:FortiSwitchManager

Latest FortiManager vulnerability 

Fortinet has issued an advisory for its Fortinet FortiManager product. The vendor confirms that this vulnerability is being actively exploited in the wild.

This vulnerability has been designated CVE-2024-47575 and has been assigned a CVSS score of 9.8 (extremely critical).

Note that this vulnerability is the same one discussed in an earlier version of this blog post, prior to vendor confirmation.

What is the impact?

The vulnerability would allow remote code execution by an attacker with upon connection to a FortiManager instance. Attackers need to have a valid Fortinet device certificate, but this certificate can be obtained from an existing Fortinet device and reused.

Successful exploitation of this attack is reported to allow remote code execution, potentially leading to total compromise of the vulnerable system.

The vendor has released a list of indicators of compromise (IOCs); users are encouraged to use this list to determine if a system has been successfully attacked.

Are updates or workarounds available?

The vendor has released updates and mitigation strategies to address this issue, and the vendor advises users to update as quickly as possible. Mitigation strategies include disabling the affected service and denying registration to systems with unknown serial numbers.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:FortiManager