Brinztech Alert: Unauthorized Firewall Access (FortiOS RCE/Admin) to National Directorate of Firefighters of Colombia is on Sale

Dark Web News Analysis

A threat actor on a known cybercrime forum is advertising the sale of unauthorized administrative and Remote Code Execution (RCE) access to a FortiOS firewall belonging to the National Directorate of Firefighters of Colombia (Dirección Nacional de Bomberos de Colombia – DNBC).

Brinztech Analysis:

• The Target: The DNBC is the governing body for all fire departments in Colombia, managing critical emergency response coordination and resources. A breach here is a National Critical Infrastructure event.
• The Access: The seller claims “RCE, Admin, and CLI” permissions. This is the “trifecta” of compromise.
  • RCE (Remote Code Execution): Allows the attacker to run arbitrary code on the device.
  • CLI (Command Line Interface): Grants root-level control over the operating system, allowing for deep persistence and log tampering.
• The Vector: This specific capability profile (RCE + CLI) strongly correlates with the active mass-exploitation of recent critical Fortinet vulnerabilities observed in November 2025, such as CVE-2025-58034 (OS Command Injection) or CVE-2025-58325 (CLI Command Bypass). It indicates the DNBC’s perimeter is likely unpatched against these known, high-severity flaws.

Key Cybersecurity Insights

This alleged access sale presents a critical threat to public safety and national security:

• Critical Infrastructure Compromise: The incident involves a national emergency service. If a ransomware attack were launched from this foothold, it could cripple the dispatch, coordination, and communication systems used by firefighters nationwide during emergencies.
• High-Level Perimeter Control: The advertised RCE and CLI permissions grant attackers extensive control. They can disable logging, create VPN tunnels for persistent access, intercept sensitive communications, and use the firewall as a launchpad to attack internal servers.
• Initial Access Brokerage (IAB): This sale represents the “reconnaissance” phase. The IAB has breached the door and is now selling the key. The buyer will likely be a ransomware affiliate (like LockBit or BlackCat) looking to encrypt the internal network for financial extortion.
• Vulnerability Indicator: The mention of FortiOS RCE confirms that the organization is lagging in Vulnerability Management. Internet-facing security appliances must be patched within hours, not days, of a critical release.

Mitigation Strategies

In response to this claim, the DNBC and all Colombian government entities using Fortinet must take immediate action:

• Immediate Firewall Audit & Patching: Conduct an urgent audit of all FortiOS firewalls. Apply the latest firmware patches immediately to mitigate CVE-2025-58034 and related flaws. If patching is not immediately possible, disable the administrative interface on the WAN port.
• Forensic Analysis for Persistence: Assume the device is compromised. Check for unauthorized local users, suspicious CLI command history, or unknown VPN gateways created by the attacker. A simple reboot or patch may not remove a persistent backdoor.
• Enhanced Network Segmentation: Isolate critical emergency response systems (dispatch, radio, HR) from the firewall management plane. A breach of the perimeter device should not grant unrestricted access to the internal network.
• Proactive Threat Hunting: Deploy advanced monitoring solutions to analyze firewall logs for anomalous behavior, such as outbound connections to known C2 IPs or unusual data transfers.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com