Critical SSL VPN Flaw in FortiOS Warned by Fortinet, Potentially Exploited in Active Attacks


Fortinet has disclosed a critical security flaw, CVE-2024-21762, affecting FortiOS SSL VPN, with a CVSS score of 9.6. This vulnerability permits the execution of arbitrary code or commands via specially crafted HTTP requests. The company warns that this flaw is likely being actively exploited in the wild. The impacted versions include FortiOS 7.4, 7.2, 7.0, 6.4, 6.2, and 6.0, with specific upgrade recommendations provided.

In addition to this, Fortinet has issued patches for CVE-2024-23108 and CVE-2024-23109, affecting FortiSIEM supervisor, which allows unauthorized command execution via crafted API requests. Recent events have highlighted the exploitation of Fortinet devices by state-sponsored actors, as seen in the Netherlands government's revelation of Chinese state-sponsored infiltration using known Fortinet FortiGate flaws to deploy a backdoor named COATHANGER.

Fortinet also reported the exploitation of N-day vulnerabilities like CVE-2022-42475 and CVE-2023-27997 by various threat actors targeting governments, service providers, consultancies, and critical infrastructure organizations. Notably, Chinese threat actors have been associated with zero-day exploitation of Fortinet appliances in deploying various implants.

Furthermore, the U.S. government's advisory on the Volt Typhoon group emphasizes their exploitation of known and zero-day flaws in networking appliances, including those from Fortinet, for long-term persistence in critical infrastructure. China has denied these allegations, reciprocating with accusations against the U.S. for conducting cyber attacks.

The campaigns conducted by China and Russia highlight the increasing threat to internet-facing edge devices, which lack endpoint detection and response (EDR) support, making them susceptible to abuse. The attacks demonstrate the use of resolved N-day vulnerabilities and living-off-the-land techniques, characteristic of the Volt Typhoon group's behaviour.

CISA has confirmed active exploitation of CVE-2024-21762 and mandated fixes for federal agencies by February 16, 2024, to bolster network security against potential threats. Overall, the article underscores the critical need for organizations to promptly apply security patches and fortify defences against evolving cyber threats targeting network infrastructure.