Active Exploitation of New Fortinet RCE Vulnerability Confirmed by CISA

February 9, 2024

The Cybersecurity and Infrastructure Security Agency (CISA) has verified that a critical remote code execution (RCE) vulnerability (CVE-2024-21762) in Fortinet's FortiOS system, which was recently fixed, is being actively exploited. This flaw, caused by an out-of-bounds write weakness, enables unauthenticated attackers to remotely execute arbitrary code via specially crafted HTTP requests. If administrators are unable to promptly install the security updates to patch the vulnerability on their devices, they can mitigate the threat by disabling SSL VPN on the device.

CISA's confirmation comes a day after Fortinet issued a security advisory suggesting that this flaw was possibly being exploited in the wild. Fortinet has not yet provided further details about potential CVE-2022-48618, but CISA has included this vulnerability in its Known Exploited Vulnerabilities Catalog. The agency has warned that such vulnerabilities are often exploited by cybercriminals, posing significant risks to federal enterprises.

In compliance with the binding operational directive (BOD 22-01) issued in November 2021, CISA has directed U.S. federal agencies to secure their FortiOS devices against this security bug within a week, by February 16.

Fortinet also fixed two other critical RCE vulnerabilities (CVE-2024-23108 and CVE-2024-23109) in its FortiSIEM solution this week. Initially, the company denied the existence of these CVEs, stating they were duplicates of a similar vulnerability (CVE-2023-34992) that was patched in October. However, after a confusing disclosure process, Fortinet admitted that these two CVEs were variants of the original CVE-2023-34992 bug.

These vulnerabilities were discovered and reported by Horizon3 vulnerability expert Zach Hanley. As these vulnerabilities can be exploited by remote unauthenticated attackers to execute arbitrary code on vulnerable devices, it is strongly recommended to secure all Fortinet devices as soon as possible.

Fortinet vulnerabilities, often zero-days, are frequently targeted for corporate network breaches in cyber espionage and ransomware attacks. For example, Fortinet reported that the Chinese Volt Typhoon hacking group used two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) in their attacks, deploying the Coathanger custom malware. Coathanger, a remote access trojan (RAT), targets Fortigate network security appliances and was recently used to infiltrate a military network of the Dutch Ministry of Defence.

Related News

• Critical Remote Code Execution Vulnerability Detected in Fortinet's SSL VPN
• Chinese State Actors Deploy 'Coathanger' Malware Targeting FortiGate Devices
• Fortinet Uncovers New Unpatched Patch Bypasses in FortiSIEM
• Apple Addresses Vision Pro Security Flaw, CISA Highlights iOS Vulnerability Exploitation
• CISA Issues Warning over Actively Exploited iPhone Kernel Bug

Latest News

• Critical Remote Code Execution Vulnerability Detected in Fortinet's SSL VPN
• Ivanti Issues Urgent Warning for New Authentication Bypass Vulnerability
• Chinese State Actors Deploy 'Coathanger' Malware Targeting FortiGate Devices
• Fortinet Uncovers New Unpatched Patch Bypasses in FortiSIEM
• CISA Incorporates Google Chromium V8 Bug into Known Exploited Vulnerabilities Catalog