Thousands of Fortinet devices could face attack following security issue

(Image credit: Future)

Hackers have a pool of almost 150,000 vulnerable Fortinet FortiOS and FortiProxy instances which they can use to execute malicious code without authentication, experts have warned.

A month ago, Fortinet released a patch for a critical vulnerability tracked as CVE-2024-21762 (severity score 9.8), but it seems many admins aren’t diligently installing the fixes. To make matters worse, this flaw was already added to Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV), meaning hackers are actively taking advantage of it. 

However, the details about hackers abusing the flaw are scarce. That could either mean that public platforms aren’t showing this activity, or the flaw is being used by highly sophisticated threat actors.

Patching the flaws

Now, BleepingComputer has spoken to Shadowserver’s Piotr Kijevski, who said that the organization scans the internet for vulnerable versions, but since workarounds and mitigations are also available, it could be that the number of vulnerable endpoints is somewhat lower. The majority of the potential targets, the organization further said, was in the United States (24,000), followed by India, Brazil, and Canada.

As per the National Vulnerability Database, this critical vulnerability is an out-of-bounds write flaw, plaguing multiple versions of FortiOS, and FortiProxy. Theoretically, an attacker could execute unauthorized code on vulnerable devices, using specifically crafted requests. 

Fortinet’s products are popular among small and medium-sized businesses (SMB), which makes them a prime target for cybercriminals. As a result, the company often releases security patches and urges customers to apply them without hesitation. 

In early July 2023, it was said that “hundreds of thousands” of FortiGate firewalls were vulnerable to CVE-2023-27997, a heap-based buffer overflow vulnerability with a 9.8 severity score. 

This flaw affected FortiOS and FortiProxy devices with SSL-VPN enabled. In March the same year, unknown hackers targeted certain US government networks with a zero-day vulnerability found in a Fortinet product. It was later reported that the attackers abused CVE-2022-41328 - an improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in FortiOS, which could have allowed a privileged attacker “to read and write arbitrary files via crafted CLI commands."

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.