Security researchers say malicious hackers are exploiting a newly discovered vulnerability in Fortinet firewalls to infiltrate corporate and enterprise networks.

In a advisory published Tuesdaysecurity product maker Fortinet has confirmed that a critical vulnerability in FortiGate firewalls, tracked as CVE-2024-55591, has been “exploited in the wild.”

Fortinet has made the patches available, but security researchers have warned that hackers are exploiting the vulnerability as a zero-day – meaning before Fortinet is aware of the vulnerability and makes the fixes available -well – since December.

This is the latest example of hackers exploiting a vulnerability in a popular business security product designed to protect corporate networks from intruders. News of the Fortinet bug came days after it was revealed The attackers exploited a separate zero-day flaw in Ivanti VPN servers which allows access to customers’ networks.

Cybersecurity company Arctic Wolf said in a blog post last week its researchers observed a new “mass exploitation” campaign affecting Fortinet FortiGate firewall devices with management interfaces exposed to the public internet.

Stefan Hostetler, Arctic Wolf’s lead threat intelligence researcher, confirmed to TechCrunch that this observed exploit is linked to the newly confirmed CVE-2024-55591 vulnerability in Fortinet’s firewalls.

Hostetler told TechCrunch that Arctic Wolf “observed a cluster of intrusions affecting ten Fortinet devices,” but noted that this represented only a “limited sample compared to the overall the actual number of devices likely to be affected.”

“The evidence points to an effort to exploit a large number of devices within a narrow timeframe,” added Hostetler.

When reached by TechCrunch, Fortinet spokeswoman Tiffany Curci declined to say how many Fortinet customers have been compromised by this hacking campaign, but said the company is “actively communicating with customers.”

It is also unclear who is behind the attacks on Fortinet’s firewalls, but cybersecurity researcher Kevin Beaumont writes Mastodon that the vulnerability “is under exploitation by a ransomware operator.”

Hostetler said that ransomware attacks exploiting the bug are not “off the table,” noting that in previous research, Arctic Fox “observed affiliates of ransomware groups like Akira and Fog using some of the same network providers to establish the VPN connection.”

on a short statement on Tuesday, US cybersecurity CISA urged Fortinet customers to update any affected devices.

In September, Fortinet disclosed a breach involving customer data after an attacker accessed a “limited number of files” stored on a third-party shared cloud drive belonging to the organization.