Critical FortiOS SSL VPN vulnerability potentially under active exploitation

Cybersecurity solutions vendor Fortinet announced yesterday that it has discovered a new critical vulnerability in its FortiOS SSL VPN that is “potentially” being exploited in the wild.

The vulnerability, designated CVE-2024-21762 and provided a CVSS score of 9.6, is an out-of-bounds write vulnerability. Successful exploitation may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.

While Fortinet hasn’t indicated which threat actor may be exploiting CVE-2024-21762 and to what extent, the revelation of the flaw follows a warning from the US government about the China-linked threat actor Volt Typhoon. According to the warning, Volt Typhoon has targeted US critical infrastructure, using known and zero-day flaws in networking appliances made by Fortinet and other vendors, to maintain long-term undiscovered persistence.

Source: The Hacker News

Analysis

According to the Shadowserver Foundation, there are approximately 300,000 FortiOS SSL VPNs deployed worldwide, with the largest concentration (99,000) found in the US.

Image 1: Worldwide count of FortiOS SSL VPN appliances (Source: Shadowserver Foundation)

Given this large attack footprint, the potential to exploit the vulnerability remotely and without authentication, and the fact that it’s likely already being exploited, the impact of CVE-2024-21762 could be severe if users don’t patch their Fortinet VPNs as soon as possible.

Fortinet VPNs and other edge devices are popular targets for threat actors looking to gain a foothold into targeted networks as they are internet accessible, can be found with minimal effort using search engines like Shodan, and often don’t run anti-virus or endpoint detection and response services.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software, appliances, and operating systems. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users were automatically notified if a FortiOS SSL VPN was detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalence portal.

Field Effect strongly encourages users of Fortinet’s FortiOS SSL VPN to update to a secured version as soon as possible.

Related articles

• Volt Typhoon infiltrates networks of US critical infrastructure
• U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure