MITRE ATT&CK Technique
Description
Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage. Modifying or disabling a network firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions.(Citation: Exposed Fortinet Fortigate firewall interface leads to LockBit Ransomware) Adversaries may gain access to the firewall management console via [Valid Accounts](https://attack.mitre.org/techniques/T1078) or by exploiting a vulnerability. In some cases, threat actors may target firewalls that have been exposed to the internet [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190).(Citation: CVE-2024-55591 Detail)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2025-09-22T18:31:06.483Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may disable network device-based firewall '
'mechanisms entirely or add, delete, or modify particular '
'rules in order to bypass controls limiting network usage. \n'
' \n'
'Modifying or disabling a network firewall may enable '
'adversary C2 communications, lateral movement, and/or data '
'exfiltration that would otherwise not be allowed. For '
'example, adversaries may add new network firewall rules to '
'allow access to all internal network subnets without '
'restrictions.(Citation: Exposed Fortinet Fortigate firewall '
'interface leads to LockBit Ransomware)\n'
'\n'
'Adversaries may gain access to the firewall management '
'console via [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078) or by '
'exploiting a vulnerability. In some cases, threat actors may '
'target firewalls that have been exposed to the internet '
'[Exploit Public-Facing '
'Application](https://attack.mitre.org/techniques/T1190).(Citation: '
'CVE-2024-55591 Detail)',
'external_references': [{'external_id': 'T1562.013',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1562/013'},
{'description': 'InTheCyber. (2025, March 24). '
'Exposed Fortinet Fortigate firewall '
'interface leads to LockBit '
'Ransomware (CVE-2024–55591). '
'Retrieved September 22, 2025.',
'source_name': 'Exposed Fortinet Fortigate firewall '
'interface leads to LockBit '
'Ransomware',
'url': 'https://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-de8fcfb6c45c'},
{'description': 'NIST NVD. (2025, January 22). '
'Retrieved September 22, 2025.',
'source_name': 'CVE-2024-55591 Detail',
'url': 'https://nvd.nist.gov/vuln/detail/CVE-2024-55591'}],
'id': 'attack-pattern--a0f84e1d-d25c-4dd1-bb26-3c0e68471530',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-22T00:01:58.079Z',
'name': 'Disable or Modify Network Device Firewall',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Marco Pedrinazzi, @pedrinazziM, InTheCyber',
'Tommaso Tosi, @tosto92, InTheCyber'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Network Devices'],
'x_mitre_version': '1.0'}