Fortinet appliances remain vulnerable to critical bug, risking cyberattacks

A significant portion of 133,000 vulnerable devices are located in Asia

Despite ongoing efforts to address a critical security flaw in Fortinet appliances, more than 133,000 devices remain exposed to potential cyber threats.

The vulnerability, indexed as CVE-2024-21762, was patched by Fortinet in early February. However, the latest data from security nonprofit Shadowserver reveals that over 133,000 Fortinet appliances are still susceptible to this critical bug.

According to Shadowserver, a significant portion of these vulnerable devices – almost 55,000 – are located in Asia, with North America and Europe also at risk with 35,000 and 28,000 vulnerable appliances, respectively.

With a severity score of 9.6 out of 10, this out-of-bounds write flaw affects the SSL VPN component, potentially enabling attackers to run code or commands through specially crafted HTTP requests.

The wide attack surface presented by exposed SSL VPNs underscores the urgency for patching, especially as evidence suggests active exploitation of CVE-2024-21762.

Fortinet has stressed that simply disabling webmode within FortiOS and FortiProxy is not a viable workaround. Instead, organisations running affected versions must disable SSL VPN altogether until the necessary patches are applied.

The US Cybersecurity and Infrastructure Security Agency (CISA) has classified CVE-2024-21762 as a Known Exploited Vulnerability (KEV), mandating federal agencies to apply patches within a strict timeframe.

Security researcher Dylan Pindur highlighted the seriousness of the vulnerability, noting its similarity to past memory corruption issues in FortiGate appliances. Pindur said it was important to apply known mitigations promptly to mitigate the risk of exploitation.

Attack surface management platform Assetnote highlighted the widespread deployment of FortiGate appliances globally, warning that such vulnerabilities could have far-reaching consequences.

While researchers at Assetnote noted the lack of specific indicators of compromise for CVE-2024-21762, they advised vigilance for any unusual Node.js processes, given past exploits targeting FortiGate appliances.

The disclosure of CVE-2024-21762 in February was part of a tumultuous period for Fortinet that also saw several other vulnerabilities in Fortinet products revealed.

Additionally, the company faced intense scrutiny following reports of potential cyber threats posed by IoT-enabled toothbrushes, a claim Fortinet vehemently disputed and was later shown to be false.

Fortinet recently disclosed another critical-severity vulnerability, CVE-2023-48788, affecting FortiClient Endpoint Management Server (EMS). Although not yet actively exploited, experts warn of the likelihood of exploitation given the availability of proof of concepts and historical targeting of Fortinet devices by threat actors.

In February, Fortinet patched two bugs tracked under the identifiers CVE-2024-23108 and CVE-2024-23109, threatening the security posture of organisations relying on FortiSIEM.

In June 2023, Fortinet issued software updates to remedy a critical vulnerability detected in its FortiNAC network access control solution. The flaw, identified as CVE-2023-33299, was assigned a critical severity score of 9.6 out of 10.

The company also addressed a medium-severity vulnerability in June, indexed as CVE-2023-33300, which involved an improper access control issue impacting FortiNAC versions 9.4.0 through 9.4.3 and FortiNAC versions 7.2.0 through 7.2.1.