CISA warns Fortinet zero-day vulnerability under attack

CISA alerted federal agencies that a critical zero-day vulnerability in FortiOS is being actively exploited, though Fortinet has yet to confirm reports.

CISA urged users to address two critical Fortinet vulnerabilities in products that are commonly targeted by the Chinese nation-state threat group Volt Typhoon, and one flaw is already being exploited in the wild.

Fortinet published two separate advisories Thursday to disclose critical vulnerabilities. The first is an out-of-bounds zero-day vulnerability, CVE-2024-21762, or what it tracks internally as FG-IR-24-015. The second is CVE-2024-23113, which Fortinet described as a "use of externally-controlled format string vulnerability" and tracks as FG-IR-24-029. Both vulnerabilities affect FortiOS and could allow an unauthenticated attacker to execute remote code or commands on an affected device.

While Fortinet warned that CVE-2024-21762 was "potentially" under attack, CISA added the flaw to its Known Exploited Vulnerabilities catalog Friday "based on evidence of active exploitation." Federal agencies are required to prioritize any vulnerabilities in the catalog. The government agency simultaneously published an advisory that urged users and administrators to apply mitigations for both Fortinet vulnerabilities.

The CISA and Fortinet advisories came just days after U.S. government agencies warned that Volt Typhoon had compromised U.S. critical infrastructure organizations and maintained access in some victims' IT environments for at least five years. The agencies believe the threat group is preparing to launch potentially disruptive attacks in case of a major conflict with the U.S. and urged enterprises to take immediate action to mitigate any of the commonly targeted devices used for initial access.

Those commonly targeted products include Fortinet's SSL VPN and internet-facing network devices. Another frequently targeted vendor was Ivanti, which disclosed yet another flaw, tracked as CVE-2024-22024, in its Ivanti Connect Secure product on Thursday. In January, Volexity confirmed that a Chinese nation-state threat actor it tracks as UTA0178 was actively exploiting two Ivanti zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure against 1,700 devices worldwide.

CVE-2024-21762 affects Fortinet's FortiProxy secure web gateway and FortiOS software in the vendor's SSL VPN, which has proved to be a popular target. In June, Fortinet issued an advisory for another SSL VPN vulnerability, tracked as CVE-2023-27997, and warned critical infrastructure organizations that Volt Typhoon was likely to attack.

The latest Fortinet flaw affects several FortiOS versions between 6.0 and 7.4.2, and users must upgrade to the fixed versions -- 7.4.3 or higher. "Workaround : disable SSL VPN (disable webmode is NOT a valid workaround)," Fortinet wrote in the FG-IR-24-015 advisory.

CVE-2024-23113 affects FortiOS' FortiGate to FortiManager daemon protocol, which is used to help secure network devices. It does not affect FortiOS version 6. Users are again urged to upgrade or migrate to a fixed release. The advisory provided a workaround, but warned that it should be used as a mitigation and not a complete workaround due to potential risks.

"Please also note that a local-in policy that only allows FGFM connections from a specific IP will reduce the attack surface but it won't prevent the vulnerability from being exploited from this IP," Fortinet wrote in the FG-IR-24-029 advisory.

While Fortinet credited the discovery of CVE-2024-23113 to Gwendal Guégniaud of its product security team, there was no public acknowledgement for CVE-2024-21762.

In a blog post Monday, Wiz threat researcher Merav Bar emphasized that there have been reports of CVE-2024-21762 being exploited in the wild. She added that organizations should patch "urgently" and expanded on potential risks to cloud environments.

"Based on Wiz data, 8% of cloud environments have resources vulnerable to CVE-2024-21762 or CVE-2024-23113, while 5% have publicly exposed instances," Bar wrote in the blog post.

TechTarget Editorial contacted Fortinet for additional comment regarding exploitation of CVE-2024-21762. The company sent the following statement:

Fortinet distributed a PSIRT advisory (FG-IR-24-015) that detailed mitigation guidance and recommended next steps regarding CVE-2024-21762. Fortinet diligently balances our commitment to the security of our customers and our culture of researcher collaboration and transparency. Timely and ongoing communications with customers is a key component in our efforts to help protect and secure their organization and we proactively communicated to customers via Fortinet's PSIRT Advisory process, advising them to follow the guidance provided. For more information regarding CVE-2024-21762, please refer to the advisory.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Threats and vulnerabilities