Critical new pre-auth RCE Fortinet vulnerability exploited in wild
Fortinet has pushed out an emergency patch for a critical CVSS 9.3 vulnerability in numerous versions of its FortiOS operating system, which lets an unauthenticated, remote attacker (pre-auth RCE) take over systems.
Critics would be forgiven for asking tough questions about QA and feeling like it was "deja vu all over again" -- the critical new Fortinet vulnerability just eight weeks after another pre-auth RCE was widely exploited.
The heap-based buffer overflow bug has been allocated CVE-2022-4247. Fortinet’s own threat hunting team said it is “aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following Indicators of Compromise” (Its IoCs are here.)
See also: 7 free cybersecurity tools enterprises should be tracking
The new Fortinet vulnerability comes after another pre-auth RCE, allocated CVE-2022-40684, was patched on October 7. That was widely exploited. Fortinet devices frequently sit at the edge of networks, which makes them high-value targets. CVE-2018-13379, yet another critical vulnerabilityin Fortinet’s SSL VPN web portal became one of the most prolifically exploited vulnerabilities in recent memory, hitting CISA “most exploited” lists.
The new Fortinet vulnerability affects
- FortiOS version 7.2.0 through 7.2.2
- FortiOS version 7.0.0 through 7.0.8
- FortiOS version 6.4.0 through 6.4.10
- FortiOS version 6.2.0 through 6.2.11
- FortiOS-6K7K version 7.0.0 through 7.0.7
- FortiOS-6K7K version 6.4.0 through 6.4.9
- FortiOS-6K7K version 6.2.0 through 6.2.11
- FortiOS-6K7K version 6.0.0 through 6.0.14
Whilst exposing management planes to the public internet is far from best practice, a Shodan search when CVE-2022-40684 landed in October 2022 revealed some 50,000 exposed instances.
As ever, patch promptly and assume compromise.