Exploitation activity appears to be ramping up against a critical Fortinet vulnerability that was disclosed and patched last month.
In a security advisory on Feb. 8, Fortinet detailed a zero-day vulnerability in FortiOS, tracked as CVE-2024-21762 or what Fortinet tracks internally as FG-IR-24-015.
Fortinet has not confirmed reports of active exploitation.
More than a month later, the vulnerability - which affects FortiOS, Fortinet's SSL VPN software and FortiProxy secure web gateway - is gaining more attention from threat actors.
On Monday, the Shadowserver Foundation, a cybersecurity nonprofit organization, confirmed that it observed an increase in exploitation activity following the release of more detailed vulnerability information that included a proof-of-concept exploit.
Successful exploitation could allow an unauthenticated remote attacker to execute arbitrary commands on a vulnerable device.
SSL VPNs from a variety of vendors, including Fortinet, have proven to be a popular target for nation-state threat actors.
Shadowserver said its internet scans revealed that more than 133,000 vulnerable instances remained as of Sunday and urged users to upgrade to the fixed version.
TechTarget Editorial contacted Shadowserver for additional information on the single IP address.
Assetnote, which offers an attack surface management platform, added that its research team immediately began analyzing CVE-2024-21762 after the public disclosure to ensure the vendor's own customers were notified if they were affected.
While Shadowserver observed an increase in activity after the PoC was published, Fortinet customers had more than a month to apply patches for CVE-2024-27162.
For the Fortinet research, Assetnote said it was only able to obtain versions 7.2.5 and 7.2.7 of the FortiGate network appliance.
One part of the research involved testing two security checks that Fortinet added in the patch release.
Assetnote said that included creating chunk requests that had fewer than 1,024 bytes and a length string of fewer than 17 characters.
Assetnote used information from previous FortiGate exploits to create the PoC for CVE-2024-27162.
Previous exploits created post parameter allocation sizes and calls to the SSL do handshake function.
The blog post also emphasized how often FortiGate contains memory corruption vulnerabilities.
Fortinet disclosed two more critical vulnerabilities that affect FortiOS and FortiProxy just last week.
Fortinet did not respond to a request for comment at press time.
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.
This Cyber News was published on www.techtarget.com. Publication date: Mon, 18 Mar 2024 20:43:05 +0000