The Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning to users regarding critical vulnerabilities in Fortinet products. These vulnerabilities are commonly targeted by the Chinese nation-state threat group Volt Typhoon. The agency emphasized that one of the flaws is already being exploited in the wild, posing a serious threat to organizations and individuals using affected devices.
Fortinet released two advisories outlining the critical vulnerabilities. One of these is an out-of-bounds zero-day vulnerability, known as CVE-2024-21762, and the second is CVE-2024-23113, which Fortinet described as a “use of externally-controlled format string vulnerability.” Both vulnerabilities impact FortiOS and have the potential to allow an unauthenticated attacker to execute remote code or commands on an affected device.
While Fortinet indicated that CVE-2024-21762 was “potentially” under attack, CISA went a step further and added the flaw to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Federal agencies are required to prioritize dealing with any vulnerabilities listed in the catalog. Furthermore, CISA published an advisory urging users and administrators to apply mitigations for both Fortinet vulnerabilities, emphasizing the urgency of addressing these critical issues.
The advisory from CISA and Fortinet came shortly after U.S. government agencies issued warnings about the threat posed by Volt Typhoon. The agencies reported that Volt Typhoon had compromised U.S. critical infrastructure organizations and maintained access in some victims’ IT environments for at least five years. This situation raised concerns that the threat group is preparing to launch potentially disruptive attacks in the event of a major conflict with the U.S. As a result, enterprises were urged to take immediate action to mitigate vulnerabilities in the commonly targeted devices used for initial access.
In addition to Fortinet products, Ivanti was mentioned as another vendor with frequently targeted products. A disclosed flaw, tracked as CVE-2024-22024, in its Ivanti Connect Secure product was also flagged as a potential target for exploitation, further adding to the urgency of addressing these security concerns.
CVE-2024-21762 affects Fortinet’s FortiProxy secure web gateway and FortiOS software, both of which are popular targets for exploitation. This is not the first time Fortinet has had to address critical vulnerabilities in its products, as a previous SSL VPN vulnerability, (CVE-2023-27997) was also flagged as potentially being under attack by Volt Typhoon. The latest flaw affects several FortiOS versions between 6.0 and 7.4.2, and users are advised to upgrade to the fixed versions, 7.4.3 or higher, in order to mitigate the risk.
CVE-2024-23113 affects FortiOS’ FortiGate to FortiManager daemon protocol, which is used to help secure network devices. Users are urged to upgrade to a fixed release as a means of mitigation.
In light of these developments, Wiz threat researcher Merav Bar emphasized the urgency of patching vulnerabilities related to the recent advisories. Reports suggest that approximately 8% of cloud environments have resources vulnerable to these vulnerabilities, while 5% have publicly exposed instances, making the need for immediate action more critical.
As these critical vulnerabilities continue to be exploited in the wild, it is increasingly important for organizations to prioritize security updates and mitigations to protect against potential threats. The collaboration between government agencies, vendors, and threat researchers is essential in addressing these vulnerabilities and safeguarding critical infrastructure.