CISA warns of exploited Fortinet bugs as Microsoft issues its biggest Patch Tuesday in years

The federal government and multiple cybersecurity firms warned of a zero-day vulnerability in FortiGate firewalls that hackers are actively exploiting. 

In a sign of the bug’s severity, the Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal civilian agencies to patch the vulnerability by January 21 — one of the shortest deadlines it has ever issued. 

Fortinet said in an advisory that the bug is being exploited in the wild but did not say how many customers have been impacted. The company said threat actors attacking organizations with the vulnerability are creating administrative accounts on targeted devices and changing settings related to firewall policies. 

Cybersecurity firm Arctic Wolf reported seeing the vulnerability being used by hackers before Fortinet disclosed the bug. The company said in early December it saw a campaign targeting FortiGate firewall devices that had interfaces exposed on the public internet, noting that a “zero-day vulnerability is highly probable.”

“The victimology in this campaign was not limited to any specific sectors or organization sizes. The diversity of victim organization profiles combined with the appearance of automated login/logout events suggests that the targeting was opportunistic in nature rather than being deliberately and methodically targeted,” the company said. 

Benjamin Harris, CEO of cybersecurity firm watchTowr, told Recorded Future News that the bug is “the latest vulnerability in a mission-critical appliance (that provides security-focused capabilities) to bear the hallmarks of zero-day exploitation by an APT group.” 

Harris added that it was important the public knew how severe the situation is, noting that “if rapid reaction measures have not already been taken, administrators should be jumping straight to looking for the signs of compromise outlined by Fortinet within their advisory.”

Incident responders at Rapid7 said they have seen incidents “consistent with scanning or reconnaissance activity and not exploitation.”

Old Fortinet bugs and Microsoft’s big Tuesday

Concern about the bug, tracked as CVE-2024-55591, emerged as other cybersecurity experts expressed alarm about an older zero-day vulnerability from 2022 affecting FortiGate firewalls. Prominent cybersecurity researcher Kevin Beaumont said a group of hackers this week released the configurations for about 15,000 FortiGate firewalls. 

Beaumont confirmed the legitimacy of the leak and noted that the stolen data contains usernames, passwords, device management certificates and firewall rules. 

“I’ve done incident response on one device at a victim org, and exploitation was indeed via CVE-2022–40684 based on artefacts on the device,” he said, referring to the older bug.

“Even if you patched back in 2022, you may still have been exploited as the configs were dumped years ago and only just released — you probably want to find out when you patched this vuln. Having a full device config including all firewall rules is… a lot of information.”

Rapid7 also looked into this issue and confirmed that some of the leaked data originated from 2022 incidents where customer firewalls were compromised.

The Fortinet bugs come after the first Patch Tuesday of 2025, where Microsoft unveiled 157 CVEs — the largest number of CVEs patched across any Patch Tuesday release since 2017, Tenable senior staff research engineer Satnam Narang said. 

Eight of the Microsoft bugs are zero-days, including three that were exploited and five that were publicly disclosed ahead of Patch Tuesday.

Of the bugs released, CISA ordered federal agencies to patch CVE-2025-21333 and CVE-2025-21334 by February 4. 

The bugs affect a highly-technical Microsoft product called Windows Hyper-V NT Kernel Integration VSP. Hyper-V is embedded in the Windows 11 operating systems and is used for a variety of security tasks.

Multiple cybersecurity experts backed CISA’s assessment that CVE-2025-21333 and CVE-2025-21334 are the vulnerabilities IT workers should start with when looking at Microsoft’s Patch Tuesday release. 

“Organizations relying on Hyper-V, including data centers, cloud providers, enterprise IT environments, and development platforms, are at risk,” said Mike Walters, co-founder of cybersecurity firm Action1, who warned that the bugs could be combined with others to increase their impact. . 

“Potential impacts include: Accessing and manipulating virtual machines on the host. Stealing sensitive data or credentials. Moving laterally within the network to target other systems. Disrupting critical services by modifying configurations or deploying malicious code.”

In addition to the Microsoft bugs, several other companies released notices about vulnerabilities including Ivanti, Cisco, Chrome, SAP and more.