Fortinet is urging customers to upgrade to the most recent firmware releases after malicious hackers were found exploiting a previously disclosed vulnerability.
The company is warning the newly reported vulnerability has been exploited in the wild. The Cybersecurity and Infrastructure Security Agency is urging users and administrators to read the new guidance and apply upgrades.
The latest activity was discovered following an internal investigation into previous exploitation activity going back to the beginning of the year.
Fortinet in January found that a heap-based buffer overflow was being used in attacks by a sophisticated attacker on governments and government-related targets. An exploit that was seen in the wild, a remote attacker could use the vulnerability, CVE-2022-42475, to take control of a targeted system.
Fortinet issued a code-audit and found additional issues in the SSL-VPN module and outside researchers from LexFo disclosed a vulnerability that could be exploited pre-authentication.
A ripe target
SSL-VPN products have become an increasingly popular target for sophisticated hackers.
“Over the past five years, there’s been a persistent trend of vulnerabilities in SSL-VPN products such as those from Citrix, Pulse Secure and Fortinet being targeted,” Satnam Narang, senior staff engineer at Tenable, said via email.
“These flaws have not only been exploited by ransomware groups but also by nation-state aligned threat actors with a particular focus on flaws in Fortinet devices,” he said.
Rapid7 researchers noted there were more than 210,700 Fortigate devices with the SSL-VPN component exposed to the internet. The majority are located in the U.S., with Japan and Taiwan representing smaller markets.
The new warnings come just weeks after Fortinet was linked to the state-sponsored Volt Typhoon attacks against U.S. critical infrastructure. U.S. authorities and researchers warn state-linked actors may be trying to eventually cut off U.S. communications with Asia, amid rising tensions between the U.S. and China.
The Volt Typhoon attacks are abusing Fortinet FortiGuard devices to access companies and leverage home networking equipment. While the attacks are not directly linked, Fortinet warned there are malicious actors that will continue to exploit unpatched vulnerabilities.
Scott Caveza, staff research engineer at Tenable, said while there is no known connection with Volt Typhoon, the group has been known to exploit CVE-2022-40684, a critical authentication bypass in Fortinet that was patched in October 2022.