Fortinet SSL VPN, a widely used software, has been found to have a critical vulnerability leading to remote code execution capabilities. The security vendor recently published a warning regarding a heap buffer overflow vulnerability, and cybersecurity experts believe that attackers may already be taking advantage of the same in government and critical infrastructure organizations. The vulnerability affects FortiOS and FortiProxy software, which can lead to data loss, file corruption and OS issues, and Fortinet has advised users to update their firmware immediately.
The flaw was detected by French infosec consultancy Lexfo, who found six additional vulnerabilities while auditing the code for a previously disclosed zero-day vulnerability that was exploited in December 2020. The most critical one, CVE-2023-27997, can give attackers remote code execution abilities. In a blog post, Carl Windsor, senior vice president of product technology and solutions at Fortinet, stated that “Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation.”
The vulnerability affects SSL VPN and firewall products, which could potentially lead to harmful effects on businesses, customers, and business partners alike. Fortinet warned that corrective action is required immediately from users, and mitigation should be done through a patching campaign. While Fortinet said it hasn’t observed the Volt Typhoon campaign exploiting CVE-2023-27997, the vendor believes the threat actor might take advantage of the critical flaw soon.
Volt Typhoon is a Chinese state-sponsored threat group responsible for cyber espionage campaigns aimed at gaining access to the United States’ critical infrastructure. Microsoft Threat Intelligence warned of such actions earlier this year when the group achieved initial access through vulnerable Fortinet FortiGuard devices, with the primary aim being an authentication bypass flaw in FortiOS tracked as CVE-2022-40684. Fortinet said that while it isn’t sure whether the Volt Typhoon campaign exploits this specific vulnerability, the attackers might take advantage of the vulnerability soon.
Fortinet recommends that all its customers immediately patch their systems and review logs for evidence of exploit for CVE-2022-40684, which was observed last year in the previous Volt Typhoon campaign. Fortinet has also been criticized for a lack of transparency by Rapid7 President Andrew Burton, who stated that “The company has a history of issuing security patches prior to disclosing critical vulnerabilities. Presumably, this policy is meant to give customers time to update their devices before threat actors exploit flaws, but in practice, it gives attackers a head start on attack development while keeping vulnerable organizations in the dark.”
In the current climate of accelerating cyberattacks, it is essential for businesses to keep their systems secure by patching vulnerabilities immediately. By doing so, companies can protect patients, clients and business partners from harm.
Arielle Waldman, a Boston-based reporter for enterprise security news, said, “With ever-increasing threats to business enterprises’ information systems, it is crucial that they adopt a proactive approach to stay on top of cyber vulnerabilities, eliminating the potential for exploitation by offenders. A well-structured cybersecurity management system is essential. Unpatched systems are easy prey for cybercriminals, who take advantage of the vulnerabilities in the system, exfiltrate data, and wreak havoc on the business’s network. Therefore, timely updates and patching of vulnerabilities should be a top priority for organizations to keep their systems secure.”