CISA confirmed today that attackers are actively exploiting a critical remote code execution bug patched by Fortinet on Thursday.
The flaw is due to an out-of-bounds write weakness in the FortiOS operating system that can let unauthenticated attackers execute arbitrary code remotely using maliciously crafted HTTP requests.
Admins who can't immediately deploy security updates to patch vulnerable appliances can remove the attack vector by disabling SSL VPN on the device.
The cybersecurity agency also ordered U.S. federal agencies to secure FortiOS devices against this security bug within seven days, by February 16, as required by the binding operational directive issued in November 2021.
Fortinet patched two other critical RCE vulnerabilities in its FortiSIEM solution this week.
Initially, the company denied that the CVEs were real and claimed they were duplicates of a similar flaw fixed in October.
Fortinet's disclosure process was very confusing, with the company first denying the CVEs were real and claiming they were mistakenly generated due to an API issue as duplicates of a similar flaw fixed in October.
As later revealed, the bugs were discovered and reported by Horizon3 vulnerability expert Zach Hanley, with the company eventually admitting the two CVEs were variants of the original CVE-2023-34992 bug.
Since remote unauthenticated attackers can use these vulnerabilities to execute arbitrary code on vulnerable appliances, it's strongly advised to secure all Fortinet devices as soon as possible immediately.
Fortinet flaws are commonly targeted to breach corporate networks in cyber espionage campaigns and ransomware attacks.
Fortinet said on Wednesday that the Chinese Volt Typhoon hacking group used two FortiOS SSL VPN flaws in attacks where they deployed the Coathanger custom malware.
Coathanger is a remote access trojan that targets Fortigate network security appliances and was recently used to backdoor a military network of the Dutch Ministry of Defence.
New Fortinet RCE flaw in SSL VPN likely exploited in attacks.
CISA: Critical Ivanti auth bypass bug now actively exploited.
CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday.
CISA warns of patched iPhone kernel bug now exploited in attacks.
CISA emergency directive: Mitigate Ivanti zero-days immediately.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 09 Feb 2024 21:15:08 +0000