New vulnerability in Fortinet's FortiOS SSL VPN allows remote code execution. Tenable has commented on the exploitation of the vulnerability by state-sponsored attackers linked to countries such as Russia, Iran, and China.
Mandiant security researchers are tracking a new campaign of cyberattacks in which attackers zero-day exploit a recently disclosed vulnerability in Fortinet's FortiOS SSL VPN, CVE-2022-42475. Discovering or procuring a zero-day vulnerability is typically a costly endeavor, so it is surprising but not unexpected for a nation-state actor to exploit a zero-day vulnerability.
Zero-day vulnerabilities are costly
“Since 2019, we have seen Citrix, Pulse Secure, and Fortinet SSL VPN vulnerabilities being exploited by a variety of attackers, from ransomware affiliates to advanced persistent threat (APT) groups and nation-state actors working with countries like Russia, Iran and China are connected.
Since these assets are publicly accessible, they are an ideal target for attacks. From a cost perspective, the investment in developing or procuring zero-day vulnerabilities is certainly higher, while using publicly available exploit code for older vulnerabilities costs nothing. With that in mind, it is surprising that a state actor with ties to China would exploit a zero-day vulnerability, albeit not unexpected. Businesses using SSL VPN software should focus on patching these devices in a timely manner to limit the window of opportunity for opportunistic attackers. At the same time, they should ensure that a robust security incident response program is in place,” said Satnam Narang, staff research engineer at Tenable.
Go head to head with attack and patch
Three days after the initial public disclosure, Fortinet released patch CVE-2022-42475 and confirmed that it was exploited in the wild. The critical security flaw is a buffer overflow vulnerability. This allows remote code execution in multiple versions of ForiOS used in SSL VPNs and firewalls.
Fortinet SSL VPNs have been an important target for years - so much so that in 2021 the FBI and CISA issued a special advisory on these vulnerabilities and how to exploit them. State actors are known to still exploit these legacy vulnerabilities in Fortinet SSL VPNs. Since this new vulnerability has already been exploited, organizations should patch CVE-2022-42475 immediately before it joins the ranks of other legacy VPN vulnerabilities.
More at Tenable.com
About Tenable Tenable is a Cyber Exposure company. Over 24.000 companies worldwide trust Tenable to understand and reduce cyber risk. Nessus inventors have combined their vulnerability expertise in Tenable.io, delivering the industry's first platform that provides real-time visibility into and secures any asset on any computing platform. Tenable's customer base includes 53 percent of the Fortune 500, 29 percent of the Global 2000, and large government agencies.