Fortinet has revealed a critical security vulnerability in FortiOS SSL VPN, indicating it’s likely being actively exploited. Identified as CVE-2024-21762 with a severity score of 9.6, this flaw permits the execution of arbitrary code and commands.
According to Fortinet’s bulletin released on Thursday, the vulnerability, categorized under CWE-787, involves an out-of-bounds write vulnerability in FortiOS, enabling remote unauthenticated attackers to execute arbitrary code or commands through specifically crafted HTTP requests. The company acknowledges the potential exploitation of this issue in the wild, although specific details regarding the exploitation methods or perpetrators remain undisclosed.
The affected versions include FortiOS 7.4 (from 7.4.0 to 7.4.2), FortiOS 7.2 (from 7.2.0 to 7.2.6), FortiOS 7.0 (from 7.0.0 to 7.0.13), FortiOS 6.4 (from 6.4.0 to 6.4.14), FortiOS 6.2 (from 6.2.0 to 6.2.15), and all versions of FortiOS 6.0, except FortiOS 7.6, which remains unaffected.
This disclosure aligns with Fortinet’s recent issuance of patches for CVE-2024-23108 and CVE-2024-23109, affecting FortiSIEM supervisor, where remote unauthenticated attackers could execute unauthorized commands via manipulated API requests.
Moreover, reports from the Netherlands government earlier this week unveiled a breach in their armed forces’ computer network by Chinese state-sponsored actors, exploiting known vulnerabilities in Fortinet FortiGate devices to implant a backdoor named COATHANGER.
Fortinet’s report this week also highlights the exploitation of N-day vulnerabilities, such as CVE-2022-42475 and CVE-2023-27997, by various threat actors targeting governments, service providers, consultancies, manufacturing, and critical infrastructure entities.
Previous instances have linked Chinese threat actors to zero-day exploitation in Fortinet appliances, deploying various implants like BOLDMOVE, THINCRUST, and CASTLETAP. The advisory from the U.S. government concerning a Chinese nation-state group named Volt Typhoon emphasizes the exploitation of known and zero-day vulnerabilities in networking appliances, including those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco.
Despite China’s denial of allegations, accusations against the U.S. for conducting cyber attacks persist. These incidents underscore the significant threat posed by internet-facing edge devices, especially due to the absence of endpoint detection and response (EDR) support, making them vulnerable to abuse.
Fortinet states that these attacks typify the use of previously patched N-day vulnerabilities and subsequent living-off-the-land techniques, reminiscent of the tactics employed by the cyber actor or group known as Volt Typhoon, targeting critical infrastructure and potentially other associated entities.
Confirming the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to its Known Exploited Vulnerabilities (KEV) catalog on February 9, 2024. Federal Civilian Executive Branch (FCEB) agencies have been directed to apply the necessary fixes by February 16, 2024, to safeguard their networks against potential threats.