Today, the Cybersecurity and Infrastructure Security Agency (CISA) has confirmed the active exploitation of a critical remote code execution (RCE) vulnerability that was recently patched by Fortinet.
This Fortinet RCE bug, known as CVE-2024-21762, originates from an out-of-bounds write weakness within the FortiOS operating system. Exploiting this flaw allows unauthorized attackers to execute arbitrary code remotely by employing maliciously crafted HTTP requests.
Fortinet RCE bug Details According to Fortinet
In situations where immediate deployment of security updates is not possible, administrators can mitigate the risk by disabling SSL VPN on the affected devices, thus eliminating the attack vector.
CISA’s announcement regarding the active exploitation of the vulnerability aligns with Fortinet’s security advisory, which stated that the flaw was potentially being exploited in real-world scenarios.
Although Fortinet has not disclosed specific details about the vulnerability (CVE-2022-48618), CISA has included it in its Known Exploited Vulnerabilities Catalog. The agency warns that such vulnerabilities are commonly targeted by malicious cyber actors and pose significant risks to federal organizations.
In line with the binding operational directive (BOD 22-01) issued in November 2021, CISA has directed U.S. federal agencies to secure their FortiOS devices against this security bug within seven days, by February 16.
Fortinet RCE Vulnerability Disclosure Leads to Confusion
Fortinet recently addressed two critical remote code execution (RCE) vulnerabilities, namely CVE-2024-23108 and CVE-2024-23109, in its FortiSIEM solution.
Initially, the company denied the authenticity of these vulnerabilities and suggested that they were duplicates of a previously resolved flaw (CVE-2023-34992) from October. However, Fortinet’s disclosure process was unclear and caused confusion.
The company initially claimed that the CVEs were mistakenly generated due to an API issue and were duplicates of the earlier vulnerability.
Subsequent information revealed that the bugs were identified and reported by Zach Hanley, a vulnerability expert from Horizon3. Eventually, Fortinet acknowledged that the two CVEs were variations of the original CVE-2023-34992 bug.
Considering that these Fortinet RCE bugs allow remote unauthenticated attackers to execute arbitrary code on vulnerable devices, it is highly recommended to promptly secure all Fortinet devices. Fortinet vulnerabilities, often exploited as zero-day vulnerabilities, are frequently targeted in cyber espionage campaigns and ransomware attacks to breach corporate networks.
An example of Fortinet vulnerabilities being exploited is the recent disclosure by Fortinet itself. They revealed that the Chinese hacking group known as Volt Typhoon utilized two FortiOS SSL VPN vulnerabilities, specifically CVE-2022-42475 and CVE-2023-27997, in their attacks.
These exploits were used to deploy a custom malware called Coathanger. Coathanger is a remote access trojan (RAT) that targets Fortigate network security appliances. Disturbingly, this malware was recently employed to create a backdoor in the military network of the Dutch Ministry of Defence.