An advanced persistent threat (APT) group has been actively exploiting a zero-day flaw in FatPipe’s software that powers its virtual private networking (VPN (opens in new tab)) devices, the FBI has warned.
While the FBI hasn’t shared details about the attackers, its cybersecurity (opens in new tab) sleuths have discovered that the group has been using the flaw since at least May 2021.
“The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity,” notes (opens in new tab) the FBI in its advisory.
Interestingly, analysis of the group’s activity has shown that the threat actors took various steps to cover evidence of their break-in, including wiping their session activity to avoid detection.
Patch now
According to the FBI, the bug hasn’t yet been assigned a CVE number, but has been fixed by FatPipe.
Explaining the bug in its own advisory, FatPipe notes that it exists in the software’s web management interface.
“The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device,” explains (opens in new tab) FatPipe.
The vulnerability affects all FatPipe WARP, MPVPN, and IPVPN device software prior to the latest version releases, 10.1.2r60p93 and 10.2.2r44p1. Since there aren’t any known workarounds to the bug, both the FBI and FatPipe urge users to upgrade to the latest patched release without delay.
If you are concerned about online privacy, use one of the best business VPN services (opens in new tab)
