The volume of Fortinet boxes exposed to the public internet and vulnerable to a month-old critical security flaw in FortiOS is still extremely high, despite a gradual increase in patching.
According to security nonprofit Shadowserver's latest data, the number of Fortinet appliances vulnerable to CVE-2024-21762 stands at more than 133,000 - down only slightly from more than 150,000 ten days prior.
Fortinet patched CVE-2024-21762 in early February, well over a month ago.
It's a 9.6 severity vulnerability that leads to remote code execution and appeared front and center during Fortinet's week to forget last month.
The biggest number of exposures is in Asia, with 54,310 appliances still vulnerable to the critical RCE bug, the data shows.
North America and Europe fill the second and third spots with 34,945 and 28,058 respectively, while South America, Africa, and Oceania comprise the remainder.
The number of exposed SSL VPNs illustrates the wide attack surface for the critical vulnerability, one that's already known to be actively exploited.
When it was first disclosed by Fortinet, the vendor said there was evidence of it being used as a zero day.
The US Cybersecurity and Infrastructure Security Agency soon corroborated this by adding it to the Known Exploited Vulnerability catalog, thereby requiring all federal agencies to patch it within a tight deadline.
Proof of concepts are now relatively widely available online, meaning the likelihood of an attacker scanning for vulnerable boxes and popping one open is as high as it has been since the vulnerability was disclosed.
As Pindur notes, CVE-2024-21762 was just one vulnerability that's been giving admins headaches recently.
To make matters worse, the vendor announced another critical-severity bug that led to RCE last week, further adding to the patching workload. CVE-2023-48788 is an SQL Injection flaw in FortiClient Endpoint Management Server that was disclosed on March 12, carrying a 9.3 severity score.
Although there's no mention of it being actively exploited, experts at Tenable said it was likely to happen soon.
Researchers at GreyNoise have begun tracking active exploits of CVE-2023-48788, but at the time of writing the data shows no signs of malicious activity.
CISA also released an advisory a day before Fortinet's disclosure of CVE-2024-21762, warning of Volt Typhoon pre-positioning itself inside US critical infrastructure, using vulnerabilities in networking appliances like Fortinet as a way in.
For the uninitiated, Volt Typhoon is the name used to track a known state-sponsored offensive cyber group aligned with China.
This Cyber News was published on go.theregister.com. Publication date: Mon, 18 Mar 2024 19:13:05 +0000