- Threat actors are actively exploiting a critical remote code execution vulnerability in Fortinet’s FortiOS operating system, the Cybersecurity and Infrastructure Security agency said Friday.
- CISA added the out-of-bound write vulnerability, CVE-2024-21762, to its known exploited vulnerabilities catalog one day after Fortinet issued a patch and workaround for the CVE in a Thursday security advisory. The vulnerability, which unauthenticated attackers can exploit to execute arbitrary code or commands, has a CVSS score of 9.8 out of 10.
- Fortinet advised customers to upgrade or migrate to patched versions of FortiOS and the FortiProxy secure web gateway. Customers using these devices can also disable SSL VPN as a workaround, according to Fortinet.
The advisory and active exploitation of Fortinet appliances comes as federal cyber authorities and intelligence officials last week warned about active intrusions and ongoing malicious activity targeting networking infrastructure in critical infrastructure providers in the U.S.
China state-linked actors, including Volt Typhoon and others, are using living off the land techniques to mask their activities and embed into networking equipment. Some established footholds date back to 2019.
CISA and Fortinet declined to answer questions about the level of exploit activity, or the identity and motivations of threat actors targeting the Fortinet CVE. Researchers haven’t attributed the exploits to a specific threat group.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in its advisory.
Rapid7 researchers said recent Fortinet SSL VPN vulnerabilities have been exploited by threat actors as zero-days and n-days following public disclosure.
”Zero-day vulnerabilities in Fortinet SSL VPNs have a history of being targeted by state-sponsored and other highly motivated threat actors,” Rapid7 said Monday in a blog post.
CISA ordered federal civilian executive branch agencies to remediate the vulnerability in FortiOS and FortiProxy devices by Feb. 16.