Malicious hackers have been exploiting newly discovered vulnerabilities in Fortinet firewalls to break into corporate and enterprise networks, security researchers say.

In an advisory published on Tuesday, security product maker Fortinet confirmed that a critical vulnerability in its FortiGate firewall, numbered CVE-2024-55591, is being "widely exploited."

Fortinet provided a patch, but security researchers warn that hackers have been exploiting the vulnerability at scale as a zero-day vulnerability since December (meaning before Fortinet became aware of the vulnerability and provided a fix).

It's the latest example of hackers exploiting vulnerabilities in popular enterprise security products designed to protect corporate networks from intruders. News of the Fortinet vulnerability comes just days after news broke that attackers were exploiting a separate zero-day vulnerability in Ivanti VPN servers to allow access to customers' networks.

Cybersecurity firm Arctic Wolf said in a blog post last week that its researchers observed a recent "mass exploitation" campaign affecting Fortinet FortiGate firewall appliances, with their management interfaces exposed to the public internet.

Stefan Hostetler, chief threat intelligence researcher at Arctic Wolf, confirmed to TechCrunch that the observed vulnerability is related to the newly confirmed CVE-2024-55591 vulnerability in the Fortinet firewall.

Hostetler told TechCrunch that Arctic Wolf "observed dozens of intrusions affecting Fortinet devices," but noted that this only represents "a limited sample compared to the actual total number of devices that may have been affected."

"The evidence points to an attempt to exploit a large number of devices in a short period of time," Hostetler added.

When contacted by TechCrunch, Fortinet spokesperson Tiffany Curci declined to say how many Fortinet customers had been compromised by the hack, but said the company was "actively communicating with customers."

It's unclear who is behind the Fortinet firewall attack, but cybersecurity researcher Kevin Beaumont wrote on Mastodon that the vulnerability "is being exploited by ransomware operators."

Hostetler said a ransomware attack that exploited the vulnerability was "not impossible," noting that in previous research, Arctic Fox "observed affiliates of ransomware groups such as Akira and Fog using some of the same network providers to establish VPN connections. "

In a brief statement on Tuesday, CISA urged Fortinet customers to update any affected devices.

In September, Fortinet disclosed a breach involving customer data after attackers accessed a "limited number of files" stored on the organization's third-party shared cloud drive.