Fortinet Warns of Critical FortiOS SSL VPN Flaw Likely Under Active Exploitation

Feb 09, 2024NewsroomZero Day Vulnerability / Network Security

Fortinet has disclosed a new critical security flaw in FortiOS SSL VPN that it said is likely being exploited in the wild.

The vulnerability, CVE-2024-21762 (CVSS score: 9.6), allows for the execution of arbitrary code and commands.

“An out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests,” the company said in a bulletin released Thursday.

It further acknowledged that the issue is “potentially being exploited in the wild,” without giving additional specifics about how it’s being weaponized and by whom.

The following versions are impacted by the vulnerability. It’s worth noting that FortiOS 7.6 is not affected.

• FortiOS 7.4 (versions 7.4.0 through 7.4.2) – Upgrade to 7.4.3 or above
• FortiOS 7.2 (versions 7.2.0 through 7.2.6) – Upgrade to 7.2.7 or above
• FortiOS 7.0 (versions 7.0.0 through 7.0.13) – Upgrade to 7.0.14 or above
• FortiOS 6.4 (versions 6.4.0 through 6.4.14) – Upgrade to 6.4.15 or above
• FortiOS 6.2 (versions 6.2.0 through 6.2.15) – Upgrade to 6.2.16 or above
• FortiOS 6.0 (versions 6.0 all versions) – Migrate to a fixed release

The development comes as Fortinet issued patches for CVE-2024-23108 and CVE-2024-23109, impacting FortiSIEM supervisor, allowing a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.

Earlier this week, the Netherlands government revealed a computer network used by the armed forces was infiltrated by Chinese state-sponsored actors by exploiting known flaws in Fortinet FortiGate devices to deliver a backdoor called COATHANGER.

The company, in a report published this week, divulged that N-day security vulnerabilities in its software, such as CVE-2022-42475 and CVE-2023-27997, are being exploited by multiple activity clusters to target governments, service providers, consultancies, manufacturing, and large critical infrastructure organizations.

Previously, Chinese threat actors have been linked to the zero-day exploitation of security flaws in Fortinet appliances to deliver a wide range of implants, such as BOLDMOVE, THINCRUST, and CASTLETAP.

It also follows an advisory from the U.S. government about a Chinese nation-state group dubbed Volt Typhoon, which has targeted critical infrastructure in the country for long-term undiscovered persistence by taking advantage of known and zero-day flaws in networking appliances such as those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco for initial access.

China, which has denied the allegations, accused the U.S. of conducting its own cyber attacks.

If anything, the campaigns waged by China and Russia underscore the growing threat faced by internet-facing edge devices in recent years owing to the fact that such technologies lack endpoint detection and response (EDR) support, making them ripe for abuse.

“These attacks demonstrate the use of already resolved N-day vulnerabilities and subsequent [living-off-the-land] techniques, which are highly indicative of the behavior employed by the cyber actor or group of actors known as Volt Typhoon, which has been using these methods to target critical infrastructure and potentially other adjacent actors,” Fortinet said.

CISA Confirms Exploitation of CVE-2024-21762

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on February 9, 2024, added CVE-2024-21762 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply the fixes by February 16, 2024, to secure their networks against potential threats.