This story was originally published on Cybersecurity Dive. To receive daily news and insights, subscribe to our free daily Cybersecurity Dive newsletter.

Dive Brief:

• Fortinet alerted customers to four new indicators of compromise for a widely exploited zero-day vulnerability in its network and security management tool FortiManager in an updated security advisory on Wednesday.

• The cybersecurity vendor said the situation is evolving and the updates don’t reflect any major changes. “Since we worked with the hosting provider to take down the actor infrastructure, some IP IoCs have changed,” a Fortinet spokesperson said Wednesday in an email.

• Fortinet initially disclosed active exploitation of CVE-2024-47575, a missing authentication for critical function vulnerability which has a CVSS score of 9.8, last week. Mandiant said at least 50 organizations across various industries were impacted by a spree of attacks it described as a “mass exploitation” event.

Dive Insight:

Security researchers who raised the alarm about the critical vulnerability last week haven’t reported evidence of increased exploits or follow-on malicious activity, but the potential for widening impact remains.

The Cybersecurity and Infrastructure Security issued an alert about the additional workarounds and indicators of compromise for CVE-2024-47575 on Wednesday.

Censys observed more than 4,000 exposed FortiManager admin portals online as of Wednesday, only 23 fewer exposed devices than last week, Himaja Motheram, security researcher at Censys, told Cybersecurity Dive on Wednesday.

“Users don’t seem to be limiting access to their admin panels from the public internet, but it’s possible that they’re patching them or applying workarounds,” Motheram said via email.

Exploitation of the FortiManager missing authentication for critical function vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code or commands. Attacks involved data theft, including IPs, credentials and configuration data of FortiGate devices managed by exploited FortiManager appliances, Fortinet and Mandiant said last week.

Rapid7 has also observed active exploitation of the critical vulnerability, Caitlin Condon, director of vulnerability intelligence at Rapid7, said in a Wednesday email. “We have not yet seen a significant increase in exploit activity related to this vulnerability, but we still have several investigations in progress.”

Fortinet said the workarounds published in its original advisory were sufficient. The company continues to urge customers to implement the workarounds and patch the vulnerability via software updates.

“We have been working with CISA, and directly with customers to ensure that mitigating actions are taken in a timely manner,” the Fortinet spokesperson said.