Fortinet VPN zero-day exploited by Chinese threat actor

A Chinese threat actor known as BrazenBamboo has been observed exploiting a zero-day vulnerability in Fortinet’s FortiClient VPN for Windows.

The flaw, which isn't yet assigned a CVE designation, has been leveraged by the group’s DeepData post-exploitation tool to extract usernames, passwords, and VPN server details directly from memory after user authentication, providing initial access to corporate networks for espionage.

DeepData is a modular post-exploitation tool for Windows that has multiple plugins to enable data theft. In addition to its credential extraction ability, the tool can record audio, collect data stored in browsers, and steal data from social media applications.

Be the first to know of emerging threats.

Sign up to get our analysts' insights on emerging cyberattacks, vulnerabilities, and more sent straight to your inbox.

Sign up

The zero-day was discovered and disclosed to Fortinet in July 2024, however, Fortinet has not yet released a fix. The flaw only affects recent releases of FortiClient VPN for Windows, implying that it's likely tied to recent changes in the software.

Until a patch is released, impacted users are encouraged to restrict VPN access and monitor for suspicious login activity.

Source: Bleeping Computer

Analysis

Given that this vulnerability was originally disclosed in July 2024, it’s unclear why Fortinet still hasn’t addressed it.

Fortinet devices have a long history of being plagued with vulnerabilities, many of which are exploited as zero-days.

In October 2024, a separate zero-day vulnerability designated CVE-2024-47575 and since dubbed "FortiJump," enabled threat actors to execute arbitrary commands on FortiManager servers and devices through the FortiGate to FortiManager (FGFM) protocol API. This resulted in the exfiltration of sensitive configuration data from over 50 servers.

Earlier in October 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors were actively exploiting a critical vulnerability in several Fortinet devices, which was previously disclosed and patched in February 2024.

In June 2024, the Dutch Military Intelligence and Security Service (MIVD) advised that a China-linked threat actor leveraged another critical FortiOS RCE vulnerability, designated CVE-2022-42475. As a result, 20,000 FortiGate network security appliances were compromised with malware between 2022 and 2023.

The widespread deployment of Fortinet devices, coupled with the frequent discovery of vulnerabilities within them, make them an attractive target for nation-state threat actors and cybercriminals alike. This is unlikely to change unless Fortinet significantly enhances its code review and proactive vulnerability discovery practices, like the company Ivanti implemented this year.  

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices and software, including those developed by Fortinet. Field Effect MDR users are automatically notified if a vulnerable version of Fortinet software or device is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly recommends that impacted users restrict internet access to affected VPNs to trusted IP addresses and monitor for suspicious activity until a patch is released.

Related Articles

• FortiJump: Threat actor exploits zero-day in Fortinet's FortiManager
• 8-month-old Fortinet RCE vulnerability actively exploited
• Critical FortiOS SSL VPN vulnerability potentially under active exploitation