TLDR:
- The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a “critical” vulnerability in Fortinet’s FortiOS is being actively exploited in attacks.
- The vulnerability, tracked at CVE-2024-21762, is a remote code execution flaw that has received a severity score of 9.6 out of 10.0.
- Fortinet has released patches for the vulnerability, which affects multiple versions of FortiOS.
- CISA’s disclosure of the exploitation follows the revelation that China-linked threat group Volt Typhoon has been exploiting network appliances from various vendors, including Fortinet.
The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a “critical” vulnerability affecting multiple versions of Fortinet’s FortiOS is being actively exploited in attacks. The vulnerability, which is a remote code execution flaw tracked at CVE-2024-21762, has received a severity score of 9.6 out of 10.0. Fortinet had previously issued an advisory stating that the vulnerability was potentially being exploited in the wild. However, the advisory has not been updated to reflect CISA’s confirmation.
CISA warned that a cyber threat actor could exploit the vulnerability to take control of an affected system. The agency also mentioned a second remote code execution flaw in FortiOS tracked at CVE-2024-23313. Fortinet did not specifically comment on the exploitation of the vulnerability but emphasized its commitment to customer security and collaboration with researchers.
Fortinet released patches for the critical remote code execution vulnerability on Thursday. The vulnerability affects multiple versions of FortiOS, including 7.4, 7.2, 7.0, 6.4, 6.2, and 6.0. Mayuresh Dani, manager for security research at cybersecurity firm Qualys, noted that the exploit code’s maturity is ranked as “high” and suggested that a proof-of-concept disclosure may be imminent given the seriousness of the vulnerability.
The exploitation of this critical FortiOS vulnerability follows the disclosure by CISA and other federal agencies that China-linked threat group Volt Typhoon has been exploiting network appliances from several vendors, including Fortinet. Volt Typhoon likely gained initial access to networks by exploiting a different vulnerability in a Fortinet firewall that was not patched. In response to the agencies’ advisory, Fortinet emphasized the importance of organizations having a robust patch management program and following best practices for a secure infrastructure. Other vendors frequently targeted by Volt Typhoon include Ivanti, Cisco, NetGear, and Citrix.
In conclusion, the CISA’s confirmation of active exploitation of a critical FortiOS vulnerability highlights the need for organizations to stay vigilant with patch management and follow best practices in order to maintain a secure infrastructure. The involvement of the China-linked threat group Volt Typhoon underscores the ongoing threat posed by sophisticated threat actors.