Fortinet has revealed a critical new security flaw in its FortiOS SSL VPN that it says will likely be exploited in the wild.
The vulnerability, CVE-2024-21762 (CVSS score: 9.6), allows execution of arbitrary code and commands.
“A vulnerability of writing outside the limits [CWE-787] in FortiOS may allow an unauthenticated, remote attacker to execute arbitrary code or command via specially crafted HTTP requests,” the company said in a bulletin published Thursday.
It also acknowledged that the problem is “potentially exploited in the wild,” without providing further details on how it is being weaponized and by whom.
The following versions are affected by the vulnerability. It is worth noting that FortiOS 7.6 is not affected.
- FortiOS 7.4 (versions 7.4.0 to 7.4.2): Upgrade to 7.4.3 or later
- FortiOS 7.2 (versions 7.2.0 to 7.2.6): Upgrade to 7.2.7 or later
- FortiOS 7.0 (versions 7.0.0 to 7.0.13): Upgrade to 7.0.14 or later
- FortiOS 6.4 (versions 6.4.0 to 6.4.14) – Upgrade to 6.4.15 or later
- FortiOS 6.2 (versions 6.2.0 to 6.2.15) – Upgrade to 6.2.16 or later
- FortiOS 6.0 (versions 6.0 all versions): Migration to a fixed version
The development comes as Fortinet released patches for CVE-2024-23108 and CVE-2024-23109, which impact the FortiSIEM supervisor, allowing an unauthenticated, remote attacker to execute unauthorized commands via crafted API requests.
Earlier this week, the Dutch government revealed that a computer network used by the military was infiltrated by Chinese state-sponsored actors by exploiting known flaws in Fortinet FortiGate devices to deliver a backdoor called COATHANGER.
The company, in a report published this week, disclosed that N-day security vulnerabilities in its software, such as CVE-2022-42475 and CVE-2023-27997, are being exploited by multiple business clusters to target governments , service providers, consultancies, manufacturing and large critical infrastructure organisations.
Previously, Chinese threat actors have been linked to zero-day exploitation of security flaws in Fortinet equipment to deliver a wide range of implants, such as BOLDMOVE, THINCRUST, and CASTLETAP.
It also follows a US government warning about a Chinese state-group dubbed Volt Typhoon, which has targeted the country’s critical infrastructure for unknown long-term persistence, exploiting known flaws and zero-days in network equipment such as those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco for initial access.
China, which has denied the allegations, has accused the United States of conducting its own cyberattacks.
If anything, the campaigns led by China and Russia highlight the growing threat faced by internet-connected edge devices in recent years due to the fact that such technologies do not support endpoint detection and response (EDR), making them ripe for abuse.
“These attacks demonstrate the use of previously resolved and subsequent N-day vulnerabilities [living-off-the-land] techniques, which are highly indicative of the behavior adopted by the cyber actor or group of actors known as Volt Typhoon, who used these methods to target critical infrastructure and potentially other adjacent actors,” Fortinet said.