A critical security flaw identified as CVE-2024-21762 has been discovered in Fortinet’s FortiOS and FortiProxy secure web gateway systems, potentially impacting around 150,000 devices worldwide.
The vulnerability allows for unauthenticated remote code execution (RCE) by sending specially crafted HTTP requests to the affected machines.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that attackers actively exploit the flaw, adding it to its Known Exploited Vulnerabilities (KEV) catalog.
Federal Civilian Executive Branch (FCEB) agencies must apply the fixes by February 16, 2024, to secure their networks against potential threats.
CVE-2024-21762 – Devices Affected
The vulnerability affects a wide range of Fortinet’s security appliances, including versions of FortiOS, FortiProxy, FortiSwitchManager, and FortiAnalyzer.
These devices are commonly used by organizations to manage network security, making the flaw particularly concerning because it could grant sensitive information access.
Document
Integrate ANY.RUN in your company for Effective Malware Analysis
Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers
Malware analysis can be fast and simple. Just let us show you the way to:
Interact with malware safely
Set up virtual machine in Linux and all Windows OS versions
Work in a team
Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox:
Analyze malware in ANY.RUN for free
According to the FortiGuard Labs’ security advisory, the vulnerability is the result of an improper limitation of a pathname to a restricted directory, which could be exploited by an unauthenticated attacker via the internet.
This could lead to arbitrary code execution on the underlying operating system of affected devices.
Exploitation of this vulnerability has been reported in the wild, with attackers actively seeking to compromise devices that have not yet been patched.
The flaw’s severity has been underscored by its high CVSS score, which reflects the ease of exploitation and the potential impact on affected systems.
As per the Shadowserver report, more than 150,000 devices have been identified as vulnerable.
We have added improvements to our Fortinet FortiOS/FortiProxy scans for CVE-2024-21762 vulnerable instances – nearly 150K (!) found on 2024-02-06: https://t.co/uxH0R7OD4NAdvisory info: https://t.co/KIdrmN73EKNote: this vulnerability is known to be exploited in the wild pic.twitter.com/CfZj0DcSPh— Shadowserver (@Shadowserver) March 7, 2024
Fortinet has released patches for the affected versions and is urging customers to update their devices immediately to mitigate the risk. The affected versions and the corresponding patches can be found on Fortinet’s official advisory page.
For users and administrators who are unsure if their devices are vulnerable, a check script has been made available on GitHub by BishopFox. The script, named CVE-2024-21762-check, can be used to determine if a Fortinet device is susceptible to the flaw, facilitating a more efficient response to the threat.
In the meantime, Fortinet has also provided a workaround for those unable to apply the patches immediately. The workaround involves disabling the HTTP/HTTPS administrative interface or limiting IP access to trusted hosts. However, this is only temporary, and users are strongly advised to apply the official patches as soon as possible.
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
