Active Exploitation of New Fortinet RCE Vulnerability Confirmed by CISA

February 9, 2024

The Cybersecurity and Infrastructure Security Agency (CISA) has verified that a critical remote code execution (RCE) vulnerability (CVE-2024-21762) in Fortinet's FortiOS system, which was recently fixed, is being actively exploited. This flaw, caused by an out-of-bounds write weakness, enables unauthenticated attackers to remotely execute arbitrary code via specially crafted HTTP requests. If administrators are unable to promptly install the security updates to patch the vulnerability on their devices, they can mitigate the threat by disabling SSL VPN on the device.

CISA's confirmation comes a day after Fortinet issued a security advisory suggesting that this flaw was possibly being exploited in the wild. Fortinet has not yet provided further details about potential CVE-2022-48618, but CISA has included this vulnerability in its Known Exploited Vulnerabilities Catalog. The agency has warned that such vulnerabilities are often exploited by cybercriminals, posing significant risks to federal enterprises.

In compliance with the binding operational directive (BOD 22-01) issued in November 2021, CISA has directed U.S. federal agencies to secure their FortiOS devices against this security bug within a week, by February 16.

Fortinet also fixed two other critical RCE vulnerabilities (CVE-2024-23108 and CVE-2024-23109) in its FortiSIEM solution this week. Initially, the company denied the existence of these CVEs, stating they were duplicates of a similar vulnerability (CVE-2023-34992) that was patched in October. However, after a confusing disclosure process, Fortinet admitted that these two CVEs were variants of the original CVE-2023-34992 bug.

These vulnerabilities were discovered and reported by Horizon3 vulnerability expert Zach Hanley. As these vulnerabilities can be exploited by remote unauthenticated attackers to execute arbitrary code on vulnerable devices, it is strongly recommended to secure all Fortinet devices as soon as possible.

Fortinet vulnerabilities, often zero-days, are frequently targeted for corporate network breaches in cyber espionage and ransomware attacks. For example, Fortinet reported that the Chinese Volt Typhoon hacking group used two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) in their attacks, deploying the Coathanger custom malware. Coathanger, a remote access trojan (RAT), targets Fortigate network security appliances and was recently used to infiltrate a military network of the Dutch Ministry of Defence.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.