New Fortinet RCE bug is actively exploited, CISA confirms

CISA confirmed today that attackers are actively exploiting a critical remote code execution (RCE) bug patched by Fortinet on Thursday.

The flaw (CVE-2024-21762) is due to an out-of-bounds write weakness in the FortiOS operating system and the FortiProxy secure web proxy that can let unauthenticated attackers execute arbitrary code remotely using maliciously crafted HTTP requests.

Admins who can't immediately deploy security updates to patch vulnerable appliances can remove the attack vector by disabling SSL VPN on the device.

CISA's announcement comes one day after Fortinet published a security advisory saying the flaw was "potentially being exploited in the wild."

While the company has yet to share more details regarding CVE-2024-21762 exploitation, CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog, warning that such bugs are "frequent attack vectors for malicious cyber actors" posing "significant risks to the federal enterprise."

The cybersecurity agency also ordered U.S. federal agencies to secure FortiOS and FortiProxy devices against this security bug within seven days, by February 16, as required by the binding operational directive (BOD 22-01) issued in November 2021.

Confusing disclosures

Fortinet patched two other critical RCE vulnerabilities (CVE-2024-23108 and CVE-2024-23109) in its FortiSIEM solution this week.

Initially, the company denied that the CVEs were real and claimed they were duplicates of a similar flaw (CVE-2023-34992) fixed in October.

However, Fortinet's disclosure process was very confusing, with the company first denying the CVEs were real and claiming they were mistakenly generated due to an API issue as duplicates of a similar flaw (CVE-2023-34992) fixed in October.

As later revealed, the bugs were discovered and reported by Horizon3 vulnerability expert Zach Hanley, with the company eventually admitting the two CVEs were variants of the original CVE-2023-34992 bug.

Since remote unauthenticated attackers can use these vulnerabilities to execute arbitrary code on vulnerable appliances, it's strongly advised to secure all Fortinet devices as soon as possible immediately.

Fortinet flaws (many times as zero-days) are commonly targeted to breach corporate networks in cyber espionage campaigns and ransomware attacks.

For instance, Fortinet said on Wednesday that the Chinese Volt Typhoon hacking group used two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) in attacks where they deployed the Coathanger custom malware.

Coathanger is a remote access trojan (RAT) that targets Fortigate network security appliances and was recently used to backdoor a military network of the Dutch Ministry of Defence.