The second week of August started with an alarming incident at the Estonian Transport Administration. After a security system flagged suspicious activity on the organisation’s network, a closer investigation soon revealed an unpleasant truth: an attacker had compromised the system used to manage the agency’s computers and devices and gained administrator-level access. Although initial concerns arose that data might have been stolen, a subsequent investigation ruled this out.
The solution used for the agency’s remote device management was Fortinet’s FortiClient EMS . This software had a critical vulnerability (CVE-2023-48788), disclosed by Fortinet on 12 March, along with a new version addressing the issue. Unfortunately, the Transport Administration had not installed this essential update. Attackers found the vulnerable system, exploited the weakness, and breached the network.
One of many
Unfortunately, there are many such stories involving both public- and private-sector organisations.
In early February, a government agency reported that its VPN servers had been compromised. The attack, which began in January, exploited vulnerabilities in Ivanti software that had been publicly disclosed just 12 days earlier.
In August, CERT-EE alerted the administrator of an online store about a critical vulnerability in their Magento platform. Unfortunately, the store owner did not act on the warning, and in November, the online store was compromised using that same vulnerability.
CERT-EE actively scans Estonia’s cyberspace for systems with critical vulnerabilities. When such websites or devices are identified, their owners are notified and advised on how to fix the issues.
In 2023, CERT-EE issued 2,427 notifications; last year, this number more than tripled to 7,955. Of these, the largest share – 2,462 – were warnings about vulnerabilities in WordPress and its plugins, while 263 related to vulnerabilities in Magento. Hundreds of notifications were also sent to owners of network devices and management systems with critical vulnerabilities.
CERT-EE discovered a critical vulnerability in Palo Alto software
CERT-EE identified and documented a critical vulnerability (CVE-2024-3393) in devices running Palo Alto Networks’ operating system, PAN-OS . The vulnerability allowed attackers to send a specially designed malicious network packet that caused the firewall to freeze, rendering it unusable in a denial-of-service state. When in a denial-of-service state, the firewall halts all network traffic, which disrupts internet connectivity and disables online services reliant on the network.
Working in collaboration, CERT-EE and Palo Alto engineers identified the root cause of the issue, and Palo Alto released an updated version of PAN-OS to address the vulnerability.
Exploiting a zero-day vulnerability in Estonia
On 23 October, information about a zero-day vulnerability in FortiManager (CVE-2024-47575) was made public. This vulnerability in a critical FortiManager function allowed attackers to execute arbitrary commands within the system due to the absence of authentication.
Fortinet had warned its clients about the potential vulnerability a few days earlier, advising them to update the software and implement additional protective measures. However, in Estonia, this vulnerability was already exploited on 22 October, with attackers gaining control of two servers belonging to one organisation.
How to protect yourself against the exploitation of vulnerabilities
- Keep the operating systems, firmware, applications and other software on all your systems up to date.
- Replace outdated devices that are no longer supported with security updates from the manufacturer.
- Protect your network and administrative interfaces. Utilise VPNs and limit access to devices, particularly system management interfaces, to specified IP addresses only.
Global trends
In 2024, the number of reported vulnerabilities grew significantly. The number of reported vulnerabilities surged in 2024, reaching 40,008 globally – a one-third increase from the 28,817 identified in 2023.
Global trends included the exploitation of zero-day vulnerabilities in the firmware of network devices and network management systems. For example, two zero-day vulnerabilities in Ivanti software (CVE-2023-46805 and CVE-2024-21887) were exploited by groups linked to China. These vulnerabilities allowed attackers to bypass authentication and inject commands.
Cybercriminals also continued to target devices with older, known vulnerabilities, often exploiting them for ransomware attacks or adding them to botnets.
As in previous years, numerous critical vulnerabilities were discovered in web content management systems and e-commerce software.
The prevalence of zero-day vulnerabilities and the ongoing exploitation of older vulnerabilities highlight the need for a systematic approach to this issue. Organisations must establish and follow vulnerability management processes and bolster their network security with additional protective measures.
Last updated: 17.02.2025
