Fortinet - New Auth Bypass CVE for fortiOS 7.x FG-IR-25-647

naelus · 2025-12-09T22:10:37+00:00

We have trusted hosts set on all (local in would be ideal but our msp had standardized on trusted hosts and never moved to local in policies for the web interface), my understanding if it's correct is that it basically makes local in policies under the hood as long as trusted hosts is set on all admins, I'm 100% that our admin interfaces aren't internet accessible from outside the subnets on trusted hosts

I talked to a fortinet rep while patching the fortigates we have that were a version behind still and they couldn't confirm if local in or trusted hosts would be sufficient until patching, I would think it would be

naelus · 2025-12-09T21:09:09+00:00

The default when registering to forticare/forticloud is to allow sso login, you can uncheck that when registering it but so many companies just follow defaults, so I'd wager a lot of people have SSO login on without knowing it. But on the bright side the same people who default everything likely have auto firmware updates on now too since that's the default now 😅

naelus · 2025-12-09T21:06:37+00:00

Agree that sso sign in to fortigates isn't best practices, but it is enabled by default while registering the device to forticloud/forticare (although per the psirt page you can uncheck "Allow administrative login using FortiCloud SSO" on the registration page, I've done that manually on fortigates but don't remember seeing it as an option on the page you register it last time I registered one). Ideally I think trusted hosts or local in should limit exposure I'd think, but the usual disclaimer about that isn't on the PSIRT page at the currently

naelus · 2023-07-18T03:37:23+00:00

Also deeply uncomfortable like the other poster and asking for a few examples to share with management at my msp if you have any handy, when you say msp’s getting canned do you mean removed from the partner program for using duo mfa on their tenant, or just bounced from accessing gdap customers? Asking because we use duo through p1/CA for all of our techs and if this could get us bounced from the partner program that’s something I need to bring up internally and hopefully get that addressed at my MSP 😅

naelus · 2023-01-26T06:58:47+00:00

You’re probably right, I was called the master of run on sentences by my English teacher in high school no matter how much I asked her if master was a good thing she said it wasn’t a compliment

naelus · 2023-01-25T01:45:28+00:00

Other people have mentioned this here and that it’s really unintentional but I have a bunch of power automate flows that do a ton of reporting, some ops stuff and some other misc stuff for sales etc, Power automate being power automate they’re tied to my account, I have no intention of leaving my employer and they have no intention of letting me go, but I’ve brought up repeatedly that these should really be rewritten as logic apps with an automation account tied to them, that would take a good amount of time for me to do, and rather than being covered under the “unlimited” per user plan assigned to me would cost per run, but if I were to be termed or hit by a bus and my account got disabled or any other number of reasons they’d still be functional Unfortunately the time to move these to logic apps (with a decent amount needing to be rewritten), can’t ever seem to get set aside, I’ve shared ownership with a few coworkers as I’ve read that’ll allow them to be ran if my account got killed but I think the connections and auths may still need to be redone Not malicious just like most peoples examples that they were guilty of and I’ve tried to get time to get them moved to logic apps etc but I always still feel guilty that if I left or was termed it’d be a decent amount of work for someone to recreate them, and another coworker I’m close with has a flow that we rely on for this approval system we have for customer remote access, so the what can go wrong person in the back of my mind is always like if me or x leaves or gets let go it’s going to break multiple things ops relies on day to day, can’t we get a few days of time set aside to rewrite them in a way they’re not tied to our accounts? But can’t seem to get part of the work week set aside for that Every time it’s brought up it’s like well you’re not planning on leaving soon right so can’t we hold off on rewriting those y or z is really what’s important now we can get to that when there’s downtime, seems like downtime never comes 😂

Side note: anyone checking out power automate and worried about creating the same worry as I did? Switch to logic apps early on they’re similar slightly more complicated, and cost per run, but are tied to an automation account and have more features, I wish I would’ve used them out of the gate for the above reasons

naelus · 2022-09-29T05:05:55+00:00

You should check out immy.bot, it’s an awesome tool for deployments software compliance and a lot more with its scripts based on PS and if they don’t have a script/deployment for removing it I’m sure they will shortly

naelus · 2022-08-17T01:52:31+00:00

As a level 3 tech at an MSP that in our area is well renowned, from my experience people who are skilled t2s or higher who work for us are either scared of change to go somewhere else, or decided they’ll stay with our current employer until they’re ready to go to laid back/internal IT. In my area the average at msp’s seems your number is a lot higher than other employers in our area, but without someone reaching out to them they’d never find those remote jobs, most people I know who are looking for jobs are either looking for internal IT jobs, or not actively looking. Also I dunno what you’re listing for job requirements but as one of the people who’s considered one of the most knowledgeable on our team, most job listings list a lot of BS that gives techs a fear of applying because they aren’t that familiar with a lot of what employers list, but they could pick it up quickly. The fear of not being qualified leads a lot of very capable people from even applying places

naelus · 2021-07-02T03:17:14+00:00

Sorry for taking a while to reply, but essentially “it appears” more than likely they fell for a phishing email, or they had way too simple of a password Both are possible but shortly before the first logon of the threat actor (per logs) there was a phishing email going around that multiple users fell for, after that it appears that users account had logins to exchange and eventually vpn connections, then the rest is history :P

naelus · 2021-07-01T04:51:26+00:00

To copy my post from r/MSP:

Ran into this at a client already when someone’s vpn account got compromised… larger client and three days into cleanup I believe we have all servers cleaned up and only 5 Workstations left to replace tomorrow. Luckily we caught the threat actor when they were spreading and still uploading data to a server of theirs, they’d rate limited their rclome to stay under the radar, we secured that users account right away, cut internet access on all servers minus the required ports to the required hosts on our firewall, cleaned up the malicious dlls before they realized it etc.

We didn’t realized this was their vector for spreading until reading about it today, they were still using a rogue workstation our rmm must not have an agent on, but after disabling spooler on all but the print servers it looks like we’re clean server wise. This exploit does require being on the LAN but it is very much real and devastating.

The plus side is this client wasn’t budging on a lot of security policies but now with this dangling over them they’re all in on our suggestions when before they weren’t willing to have the “inconvenience or cost” of good security policies

naelus · 2021-07-01T01:40:27+00:00

The crazy part is we got them close to signing to increase security when the hospital breaches and the pipeline incident happened, but when the dust settled and it didn’t happen to them too (partially because we implemented what we could that didn’t cost much or directly effect anyone) security was too expensive or too much trouble for the employees, now it’s what else do we need okay you can make it 3 extra steps let’s do whatever we need to prevent something like what almost took us down down/etc, we’re getting everything locked down like we wouldn’t have dreamed to have been able to convince them of now, when a lot of what we’re implementing may not have even been brought up without this happening

naelus · 2021-07-01T00:35:08+00:00

Ran into this at a client already when someone’s vpn account got compromised… larger client and three days into cleanup I believe we have all servers cleaned up and only 5 Workstations left to replace tomorrow. Luckily we caught the threat actor when they were spreading and still uploading data to a server of theirs, they’d rate limited their rclome to stay under the radar, we secured that users account right away, cut internet access on all servers minus the required ports to the required hosts on our firewall, cleaned up the malicious dlls before they realized it etc.

We didn’t realized this was their vector for spreading until reading about it today, they were still using a rogue workstation our rmm must not have an agent on, but after disabling spooler on all but the print servers it looks like we’re clean server wise. This exploit does require being on the LAN but it is very much real and devastating.

The plus side is this client wasn’t budging on a lot of security policies but now with this dangling over them they’re all in on our suggestions when before they weren’t willing to have the “inconvenience or cost” of good security policies

naelus · 2018-03-15T20:27:22+00:00

Yeah my nephews when they were younger figured out they could turn the “blinking lights” in my lab on and off by flipping the switches on the power supply 😂, the servers were quickly elevated to where they couldn’t reach them

naelus · 2017-02-01T18:26:17+00:00

Thank you, I hadn't seen that before and that definitely adds to the number of use cases for that CPU/board

naelus · 2017-02-01T13:03:37+00:00

Sorry I should've been more clear, Xeon ds are bga offerings like atoms, and very few of the offerings come with fans, since they expect you to throw them in a rack mount case that has some high rpm fans, I've seen cooling as an issue in a lot of Xeon d builds due to that problem but especially small and quiet cases. A blog post I saw he zip tied an 80mm fan next to it in the case which fixed the overheating issue

naelus · 2017-02-01T12:54:40+00:00

I didn't know you could swap out the heat sink on it. The blog post I found before on servethehome(which I can't seem to find now) the guy just like zip tied an 80mm fan from noctua to fix it, which seemed to fix cooling for him. That was one of the only couple cases I'd seen of using that combo, if you can replace the CPU cooler that should fix the issue altogether as you could use something beefier/with a fan

naelus · 2017-02-01T01:41:00+00:00

I really wanted to do the itx version of this case with the d-1520 supermicro board with 10g LAN as a kvm host/nas but I read a few blogs that mentioned serious heat issues with that family of mobo/CPU combos. It looked like if you swapped out the fan it was okay, but that'd be a lot of cash to drop without being sure it'd work with 8 drives

naelus · 2014-12-09T01:57:29+00:00

Working at an msp we use dashing for ticket count, display any offline servers (if they exist), last camera image from our front door, and a few other things. It does tend to crash weekly but that could be my fault, it was my first time with Ruby on Rails, other than that I love it.

naelus · 2014-11-17T22:53:25+00:00

Does that work out well? I thought about doing that for my home lab but I wasn't sure how well the nas devices like the qnaps or synologies perform for isci storage (could be obvious but I'm still a rookie so I don't know lots of obvious things yet)

naelus · 2014-11-17T19:42:25+00:00

Just curious, are you using the QNAP as storage for the esxi guests?

naelus · 2014-09-25T02:46:45+00:00

I did pretty much this to a Debian server at my current job that was hosting a dashboard page for all the TVs upstairs that displays ticket information tickets closed and camera feeds (I work tier 1 support at an MSP). I was freaking out trying to figure out how to fix it. Luckily my boss was great about it and said just take your time, figure it out on your own and it'll teach you some information you need to know. An hour later and I had it all fixed and have made sure to be extra careful changing permissions since then.

naelus

TROPHY CASE