Exploitation activity increasing on Fortinet vulnerability

Exploitation activity appears to be ramping up against a critical Fortinet vulnerability that was disclosed and patched last month.

In a security advisory on Feb. 8, Fortinet detailed a zero-day vulnerability in FortiOS, tracked as CVE-2024-21762 or what Fortinet tracks internally as FG-IR-24-015. The advisory warned users that the out-of-bounds write vulnerability was "potentially being exploited in the wild," and CISA added CVE-2024-21762 to its Known Exploited Vulnerabilities catalog on Feb. 9. Fortinet has not confirmed reports of active exploitation.

More than a month later, the vulnerability -- which affects FortiOS, Fortinet's SSL VPN software and FortiProxy secure web gateway -- is gaining more attention from threat actors. On Monday, the Shadowserver Foundation, a cybersecurity nonprofit organization, confirmed that it observed an increase in exploitation activity following the release of more detailed vulnerability information that included a proof-of-concept (PoC) exploit.

Successful exploitation could allow an unauthenticated remote attacker to execute arbitrary commands on a vulnerable device. SSL VPNs from a variety of vendors, including Fortinet, have proven to be a popular target for nation-state threat actors.

Shadowserver said its internet scans revealed that more than 133,000 vulnerable instances remained as of Sunday and urged users to upgrade to the fixed version.

"With detailed vulnerability/exploit analysis now published, we have started to observe Fortinet CVE-2024-21762 exploitation attempts executing callbacks as of March 17th UTC. These are currently coming from one IP hitting FortiGate devices," Shadowserver Foundation wrote on X, formerly known as Twitter.

TechTarget Editorial contacted Shadowserver for additional information on the single IP address. The organization declined to comment with concerns that it would likely provide too much information to the threat actor.

Cybersecurity vendor Assetnote published a blog post with details on how its security team produced a working exploit for CVE-2024-21762 using a FortiGate SSL VPN. Assetnote said it chose to investigate the flaw because "FortiGate is widely deployed and a pre-auth remote code execution vulnerability would have a huge impact."

Assetnote, which offers an attack surface management platform, added that its research team immediately began analyzing CVE-2024-21762 after the public disclosure to ensure the vendor's own customers were notified if they were affected.

"The exploit described in this post is tailored to the exact version of FortiGate SSL VPN used for testing. It is unlikely the exploit will work on other versions. The purpose of our research is primarily to power our exposure engine. We also publish research to add more colour and help defenders," Assetnote wrote in the blog post.

While Shadowserver observed an increase in activity after the PoC was published, Fortinet customers had more than a month to apply patches for CVE-2024-27162.

For the Fortinet research, Assetnote said it was only able to obtain versions 7.2.5 and 7.2.7 of the FortiGate network appliance. One part of the research involved testing two security checks that Fortinet added in the patch release. Assetnote said that included creating chunk requests that had fewer than 1,024 bytes and a length string of fewer than 17 characters.

Assetnote used information from previous FortiGate exploits to create the PoC for CVE-2024-27162. For example, previous exploits created post parameter allocation sizes and calls to the SSL_do_handshake function.

The blog post also emphasized how often FortiGate contains memory corruption vulnerabilities. For example, Fortinet disclosed two more critical vulnerabilities that affect FortiOS and FortiProxy just last week.

"It seems like a lot of effort has been spent on preventing access to the filesystem; setting up the debugger was a significant portion of the time spent on this vulnerability. Would that effort be better spent on auditing and hardening the applications themselves?" Assetnote's blog post said.

Fortinet did not respond to a request for comment at press time.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.