Attackers actively exploiting a month-old critical Fortinet vulnerability in Fortinet solution (CVE-2024-21762) 

All the businesses that have deployed Fortinet solutions must immediately implement patches and harden the solutions using the advisory published by Fortinet. More than 133,000 Fortinet appliances exposed to CVE-2024-21762 Vulnerability with the 9.8 CVSS rating.  

It was discovered a month ago, yet an increasing quantity of appliances are still vulnerable to this critical bug.  

The most devices exposed to the said vulnerability are in Asia (around 54310 devices).  

The vulnerability is a remote code execution vulnerability that has been added to the known exploited vulnerability (KEV) catalog. Fortinet has recommended all federal agencies patch the vulnerability as soon as possible because the PoC (Proof of Concept) for the vulnerability is easily available for the attackers online.   

Experts have found that there was a sudden increase in the exploitation with more than 150,000 devices at risk of exposure after the publish of Proof-of-Concept exploit.  

Fortinet has announced another vulnerability CVE-2023-48788 with CVSS 9.3 (critical), an SQL injection flaw in the FortiClient Endpoint Management Server (EMS).  

Since the vulnerability is suspected to be a FortiOS out-of-bounds write vulnerability that is exploited actively, it is recommended to implement the latest set of security measures to harden and patch the affected Fortinet devices.   

SharkStriker’s recommendation 

We recommend applying all the mitigations suggested by the vendor and disabling SSL VPN in case no further mitigation is available. 

• We recommend upgrading to the patched version of FortiOS and FortiProxy.   
• We enabled their posture with proactive detection and response to suspicious activities 
• For early detection and quick & precise response to the threats, we have advised all of our customers to upgrade to the latest version of the impacted solution. 
• Through our STRIEGO’s dashboards, our customers can check the status of their cybersecurity posture.

As our customers have enabled Network Monitoring, the SOC Team can continuously monitor for exploitations and respond to them accordingly.