Thousands of Fortinet instances vulnerable to actively exploited flaw

No excuses for not patching this nine-month-old issue

by · The Register

More than 86,000 Fortinet instances remain vulnerable to the critical flaw that attackers started exploiting last week, according to Shadowserver's data.

The most recent count taken from Sunday put the number of IPs vulnerable to the bug at 86,602 – a slight decrease from 87,930 the day before.

The internet security biz's data showed the majority of those appliances are located in Asia (38,778), followed, though not closely, by North America (21,262) and Europe (16,381).

Fortinet's week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claimAn orchestra of fails for the security vendorConnor Jones, 09 Feb 2024

CVE-2024-23113 was first disclosed in February, but the bad guys had been too busy experimenting with other critical bugs that were fixed around the same time.

For reasons unknown, the vulnerability has only recently caught the attention of attackers. The US's Cybersecurity and Infrastructure Security Agency (CISA) broke the news it was being actively exploited last week by adding it to the Known Exploited Vulnerabilities (KEV) catalog.

Security flaws are only added to the KEV catalog when the agency knows that a vulnerability is both being actively exploited and poses a serious threat to the security of federal civilian executive branch (FCEB) agencies.

These agencies received the usual 21-day window in which to address the vulnerability. That means they either have to upgrade to a safe version, or disconnect the affected appliance until a fix can be applied.

The status of whether the vulnerability is being used in ransomware attacks remains "unknown," as it was last week.

Carrying a CVSS v3 severity rating of 9.8, the remote code execution vulnerability is about as serious as they come. The assessment of CVE-2024-23113 concluded any successful exploit would have a high impact on data confidentiality, system integrity, and service availability, and required no privileges or user interaction to pull it off.

Affecting various versions of FortiOS, FortiPAM, FortiProxy, and FortiWeb, admins are advised to upgrade to unaffected releases or implement the mitigations outlined in Fortinet's advisory.

The mitigation involves removing the fgfm daemon access for every vulnerable interface, although this will prevent FortiManager from discovering FortiGate devices. ®

CISA adds fresh Ivanti vuln, critical Fortinet bug to hall of shameUsual three-week window to address significant risks to federal agencies appliesConnor Jones, 10 Oct 2024Fortinet admits miscreant got hold of customer data in the cloudThat would explain this 440GB leak, thenIain Thomson, 13 Sep 2024China's FortiGate attacks more extensive than first thoughtDutch intelligence says at least 20,000 firewalls pwned in just a few monthsConnor Jones, 12 Jun 2024More than 133,000 Fortinet appliances still vulnerable to month-old critical bugA huge attack surface for a vulnerability with various PoCs availableConnor Jones, 18 Mar 2024