Fortinet urges patching N-day bug amid ongoing nation-state exploitation

SSL VPNs are trusted secure connections to private organization networks. A vulnerability like CVE-2024-21762 allows attackers to access and exploit systems on these secure channels.

The vulnerability affects FortiOS versions 7.4 (before 7.4.2), 7.2 (before 7.2.6), 7.0 (before 7.0.13), 6.4 (before 6.4.14), 6.2 (before 6.2.15), 6.0 (all versions). While patches have been rolled out with the successive releases of Fortinet versions 6.2, 6.4, 7.0, 7.2, and 7.4 have reached the end of support, version 7.6 is not affected by the vulnerability.

Users unable to upgrade to patched versions are advised to disable SSL VPN as a workaround.

Fortinet has warned against one more critical vulnerability (CVSS 9.8), with no known exploitations yet, tracked under CVE-2024-23113 that also allows remote code execution (RCE) by using the “externally-controlled format string vulnerability” in the FortiOS fgfmd daemon, another secure connection authentication module.

Fortinet warns against nation-state exploitations

In the report, Fortinet underlined the tactics, techniques, and procedures (TTPs) used by China-backed threat actor, Volt Typhoon, to exploit Fortinet’s known bugs to gain initial access to target systems.

The company revealed that Chinese hackers likely exploited Fortinet N-days disclosed in December 2022 (CVE-2022-42475), and June 2023 (CVE-2023-27997) for targeting critical infrastructure organizations, as the incident investigation revealed the use of living-of-the-land (LOTL) binaries consistent with Volt Typhoon’s TTPs.