In a recent bulletin, cybersecurity firm Fortinet has raised alarm bells regarding a critical security vulnerability detected in FortiOS SSL VPN, warning that it’s likely being actively exploited in the wild. The flaw, identified as CVE-2024-21762 with a CVSS score of 9.6, poses a severe risk by enabling attackers to execute arbitrary code and commands remotely.
Fortinet described the vulnerability as an “out-of-bounds write” flaw, categorized under CWE-787, emphasizing that remote unauthenticated attackers could leverage specially crafted HTTP requests to exploit it. While the company acknowledged the potential exploitation in the wild, it refrained from providing detailed insights into the specific methods or actors involved in the exploitation.
The impacted versions include FortiOS 7.4 (versions 7.4.0 through 7.4.2), FortiOS 7.2 (versions 7.2.0 through 7.2.6), FortiOS 7.0 (versions 7.0.0 through 7.0.13), FortiOS 6.4 (versions 6.4.0 through 6.4.14), and FortiOS 6.2 (versions 6.2.0 through 6.2.15). Users are urged to upgrade to the respective patched versions or migrate to a fixed release to mitigate the risk. Notably, FortiOS 7.6 remains unaffected by the vulnerability.
The emergence of this critical flaw coincides with Fortinet’s recent issuance of patches for CVE-2024-23108 and CVE-2024-23109, impacting FortiSIEM supervisor, which similarly allowed remote unauthenticated attackers to execute unauthorized commands via crafted API requests.
Concerns surrounding active exploitation of security vulnerabilities in Fortinet products have escalated, particularly following revelations from the Netherlands government about infiltration of its armed forces’ computer network by Chinese state-sponsored actors. Exploitation of known flaws in Fortinet FortiGate devices facilitated the delivery of a backdoor named COATHANGER.
Fortinet’s own report highlighted the exploitation of N-day vulnerabilities like CVE-2022-42475 and CVE-2023-27997 by various threat actor groups targeting governments, service providers, consultancies, manufacturing entities, and critical infrastructure organizations.
Previous instances have implicated Chinese threat actors in zero-day exploitation of Fortinet appliances, deploying a range of implants such as BOLDMOVE, THINCRUST, and CASTLETAP. The U.S. government’s advisory regarding the activities of a Chinese nation-state group named Volt Typhoon further underscores the gravity of the situation. This group has been implicated in targeting critical infrastructure using known and zero-day vulnerabilities in networking appliances, including those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco.
Despite denials from China regarding such allegations, accusations have been exchanged, with China accusing the U.S. of conducting its own cyber attacks. The ongoing cyber campaigns by China and Russia emphasize the heightened threat landscape faced by internet-facing edge devices. These devices, lacking endpoint detection and response (EDR) support, are increasingly vulnerable to exploitation, as demonstrated by the utilization of both resolved N-day vulnerabilities and “living-off-the-land” techniques by threat actors like Volt Typhoon.
Fortinet has emphasized the need for proactive security measures to combat these evolving threats, urging organizations to promptly apply patches, implement robust security protocols, and enhance monitoring capabilities to detect and respond to potential breaches effectively. The evolving cyber landscape underscores the importance of constant vigilance and collaboration among stakeholders to safeguard critical infrastructure and sensitive data from malicious actors.
Interesting Article : New Ivanti Security Alert: Auth Bypass Flaw Impacts Connect Secure & ZTA Gateways
Pingback: New "RustDoor" Backdoor Targeting Apple macOS Devices