Fortinet has advised users to immediately patch an N-day vulnerability in its systems being potentially exploited in the wild to carry out remote code execution (RCE) attacks.
Tracked as CVE-2024-21762, the flaw has a âcriticalâ severity rating with a CVSS score of 9.6 and allows a remote unauthenticated actor to execute arbitrary commands by specially crafted HTTP requests.
While the company did not share more details on the bugâs exploitation, a Fortinet report published a day before emphasized the importance of patching a few known vulnerabilities as they have been actively exploited by a China-backed espionage campaign.
âThe best defense against any N-Day vulnerability is following good cyber hygiene, including remediation guidance and timely patching,â Fortinet said in the report. âThe complexity of the exploit suggests an advanced actor, and the fact the attacks are highly targeted at governmental or strategic targets such as critical national infrastructure, manufacturing, and service providers in government-adjacent industries suggests nation-state capability.â
âN-dayâ refers to known vulnerabilities with available patches that have not been applied by organizations, leaving them open to exploitation.
Immediate patching or a workaround is advised
Attackers are likely exploiting the âout-of-bounds writeâ vulnerability in the Secure Socket Layer Virtual Private Network (SSL VPN) service within the Fortinet operating system FortiOS, according to the company.
SSL VPNs are trusted secure connections to private organization networks. A vulnerability like CVE-2024-21762 allows attackers to access and exploit systems on these secure channels.
The vulnerability affects FortiOS versions 7.4 (before 7.4.2), 7.2 (before 7.2.6), 7.0 (before 7.0.13), 6.4 (before 6.4.14), 6.2 (before 6.2.15), 6.0 (all versions). While patches have been rolled out with the successive releases of Fortinet versions 6.2, 6.4, 7.0, 7.2, and 7.4 have reached the end of support, version 7.6 is not affected by the vulnerability.
Users unable to upgrade to patched versions are advised to disable SSL VPN as a workaround.
Fortinet has warned against one more critical vulnerability (CVSS 9.8), with no known exploitations yet, tracked under CVE-2024-23113 that also allows remote code execution (RCE) by using the âexternally-controlled format string vulnerabilityâ in the FortiOS fgfmd daemon, another secure connection authentication module.
Fortinet warns against nation-state exploitations
In the report, Fortinet underlined the tactics, techniques, and procedures (TTPs) used by China-backed threat actor, Volt Typhoon, to exploit Fortinetâs known bugs to gain initial access to target systems.
The company revealed that Chinese hackers likely exploited Fortinet N-days disclosed in December 2022 (CVE-2022-42475), and June 2023 (CVE-2023-27997) for targeting critical infrastructure organizations, as the incident investigation revealed the use of living-of-the-land (LOTL) binaries consistent with Volt Typhoonâs TTPs.
The attribution was confirmed by a cybersecurity infrastructure security agency (CISA) advisory issued the same day as the Fortinet report.
Use of Fortinet flaws by Volt Typhoon is among the many techniques the Peopleâs Republic of China (PRC) has been using to hack into critical US systems, according to Cynthia Kaiser, deputy assistant director for the FBIâs cybersecurity division, as cited by The Register.
The FBI reportedly submitted a request last week to renew Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows federal officers to spy on foreignersâ overseas electronic communications.