‘Critical’ Fortinet FortiOS Vulnerability Seeing Exploitation: CISA

The cybersecurity agency confirmed that the remote code execution flaw, which impacts numerous versions of the Fortinet operating system, has been exploited in attacks.

A “critical” vulnerability impacting numerous versions of Fortinet’s FortiOS is seeing active exploitation in attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Friday.

The CISA confirmation followed Fortinet’s advisory Thursday disclosing the remote code execution flaw. Fortinet indicated at the time that the vulnerability was “potentially being exploited in the wild.” As of this writing, the Fortinet advisory had not been updated to reflect CISA’s findings.

The out-of-bound write vulnerability in FortiOS (tracked at CVE-2024-21762) has received a rating of “critical,” with a severity score of 9.6 out of 10.0. The vulnerability was added to CISA’s catalog of vulnerabilities known to have seen exploitation in the wild Friday.

“A cyber threat actor could exploit these vulnerabilities to take control of an affected system,” CISA said in an earlier advisory Friday, referring to the now-exploited vulnerability and a second remote code execution flaw in FortiOS (tracked at CVE-2024-23313).

Fortinet did not provide a specific comment about exploitation of the vulnerability in response to CRN questions Friday. The network security vendor said in the statement that it “balances our commitment to the security of our customers and our culture of researcher collaboration and transparency.”

“Timely and ongoing communications with customers is a key component in our efforts to help protect and secure their organization and we proactively communicated to customers via Fortinet’s PSIRT Advisory process, advising them to follow the guidance provided,” the company said.

Fortinet released patches for the critical remote code execution vulnerability on Thursday. The vulnerability affects many versions of FortiOS 7.4, 7.2, 7.0, 6.4, 6.2 and 6.0.

The maturity of exploit code is ranked as “high” in the vendor-supplied scoring for the vulnerability, noted Mayuresh Dani, manager for security research at cybersecurity firm Qualys.

“Given all these facts and the way Fortinet itself has characterized the vulnerability, it may be trivial to exploit this vulnerability and [suggests] a proof-of-concept disclosure is imminent,” Dani said in an email Friday.

Notably, user interaction is not required for exploitation, Dani said, “and there is no mention of how this vulnerability was discovered — internally or via external reports.”

Network Device Attacks

The exploitation of the critical FortiOS vulnerability follows a disclosure by CISA and other federal agencies this week revealing that China-linked threat group Volt Typhoon has been known to exploit network appliances from several vendors including Fortinet. In one example of a “confirmed compromise” shared by the U.S. agencies, Volt Typhoon “likely obtained initial access by exploiting CVE-2022-42475 in a network perimeter FortiGate 300D firewall that was not patched.”

Fortinet released a blog post to coincide with the U.S. agencies’ advisory Wednesday, which pointed to “the need for organizations to have a robust patch management program in place and to follow best practices to ensure a secure infrastructure.”

Other vendors named as frequent Volt Typhoon targets were Ivanti — whose Connect Secure VPN devices have seen widespread exploitation by attackers over the past month — as well as Cisco, NetGear and Citrix.