Fortinet says a critical FortiOS SSL VPN vulnerability that was patched last week “may have been exploited” in attacks affecting government, manufacturing, and critical infrastructure organizations.
The defect (tracked as CVE-2023-27997 / FG-IR-23-097) is a heap-based buffer overflow weakness in FortiOS and FortiProxy SSL-VPN that may allow unauthenticated attackers to achieve remote code execution (RCE) via maliciously crafted requests.
CVE-2023-27997 was discovered during a code audit of the SSL-VPN module following another series of recent attacks against government organizations exploiting zero-day CVE-2022-42475 FortiOS SSL-VPN.
Friday, Fortinet released security updates to address the vulnerability before disclosing additional details today.
This is not the first time the company has patches pushed before disclosing critical vulnerabilities to give customers time to secure their devices before threat actors reverse engineer to create exploits.
“Our investigation revealed that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with our customers to monitor the situation,” Fortinet said. said in a report released Monday.
“For this reason, if the customer has SSL-VPN enabled, Fortinet advises customers to take immediate action to upgrade to the most recent firmware version.
“If the customer is not using SSL-VPN, the risk of this issue is mitigated – however, Fortinet still recommends upgrading.”
Volt Typhoon Connections
Although he made no link to the recently leaked information Attacks of the Volt Typhoon targeting critical infrastructure organizations across the United States, Fortinet mentioned the possibility that the Chinese cyber espionage group could also target the CVE-2023-27997 flaw.
“At this time, we are not linking FG-IR-23-097 to the Volt Typhoon campaign, but Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices,” the company said.
“For this reason, Fortinet urges immediate and continued mitigation through an aggressive patching campaign.”
Volt Typhoon is known to have hacked Fortinet FortiGuard devices exposed to the Internet through an unknown zero-day vulnerability to gain access to organizations’ networks in a wide range of critical sectors.
Threat actors also use compromised routers, firewalls, and VPN appliances from multiple vendors to evade detection by ensuring their malicious activity mixes with legitimate network traffic.
Fortinet said today that it primarily targets unpatched devices against CVE-2022-40684an authentication bypass vulnerability in FortiOS / FortiProxy / FortiSwitchManager devices, for initial access.
However, as mentioned earlier, threat actors should also start exploiting new vulnerabilities, as they are disclosed.