Askhat - stock.adobe.com

Fortinet confirms VPN vulnerability exploited in the wild

In an advisory Monday, Fortinet urged customers to take steps to immediately mitigate the critical flaw, which was disclosed earlier by French infosec firm Olympe Cyberdefense.

A critical zero-day vulnerability in Fortinet's SSL-VPN has been exploited in the wild in at least one instance.

Fortinet issued an advisory Monday detailing the heap-based buffer overflow flaw, tracked as CVE-2022-42475, affecting multiple versions of its FortiOS SSL-VPN. Ranked a 9.3 on the common vulnerability scoring system, Fortinet warned the critical flaw could allow a remote unauthenticated attacker to execute arbitrary code.

"Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise," Fortinet wrote in the advisory.

Patches are available, and Fortinet recommended upgrading to the latest versions as well as the unaffected earlier version of FortiOS. In an email to TechTarget Editorial, Fortinet said it also continues to monitor the situation.

While the company's Product Security Incident Response team made the advisory publicly available Monday, it was not the first notification on the critical flaw. Olympe Cyberdefense, a France-based cyber threat intelligence vendor, released an alert Friday citing that a "new critical flaw, not yet made public" affected Fortinet SSL-VPN.

The alert, which was first reported Monday by TechTarget sister publication Le Mag IT, warned the zero-day vulnerability was easy to exploit and that attackers could gain full control of intended devices. Additionally, Olympe Cyberdefense recommended disabling VPN-SSL functionality if it's not essential.

Olympe updated its alert once Fortinet confirmed the vulnerability and urged customers to patch.

In a statement sent to TechTarget Editorial, Claire Tills, senior researcher engineer at Tenable, noted the time gap between the Olympe's initial disclosure and Fortinet's advisory. "Three days after its initial public disclosure, Fortinet patched CVE-2022-42475 and confirmed it has been exploited in the wild," Tills said.

"Fortinet SSL-VPNs have been a major target for years now -- to the extent that the FBI and CISA issued a dedicated advisory to these flaws and their exploitation in 2021. Nation state actors are still known to exploit those legacy vulnerabilities in Fortinet SSL-VPNs. Given that this new vulnerability has already been exploited, organizations should patch CVE-2022-42475 immediately before it joins the ranks of other legacy VPN flaws."

Attacks targeting VPNs have been on the rise, with multiple government warnings since 2020 when remote work increased amid the COVID-19 pandemic. In October, FortiOS faced another critical vulnerability that allowed attackers to bypass authentication and was exploited in the wild. Like Monday's advisory, Fortinet was not the first to publicly disclose the flaw.

Dig Deeper on Threats and vulnerabilities