Fortinet says a critical FortiOS SSL VPN vulnerability that was patched last week "may have been exploited" in attacks impacting government, manufacturing, and critical infrastructure organizations.
The flaw (tracked as CVE-2023-27997 / FG-IR-23-097) is a heap-based buffer overflow weakness in FortiOS and FortiProxy SSL-VPN that can let unauthenticated attackers gain remote code execution (RCE) via maliciously crafted requests.
CVE-2023-27997 was discovered during a code audit of the SSL-VPN module following another recent set of attacks against government organizations exploiting the CVE-2022-42475 FortiOS SSL-VPN zero-day.
On Friday, Fortinet released security updates to address the vulnerability before disclosing additional details today.
This is not the first time the company has pushed patches before disclosing critical vulnerabilities to give customers time to secure their devices before threat actors reverse engineer them to create exploits.
"Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation," Fortinet said in a report published on Monday.
"For this reason, if the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release.
"If the customer is not operating SSL-VPN the risk of this issue is mitigated – however, Fortinet still recommends upgrading."
More than 250,000 Fortigate firewalls are exposed on the Internet, according to Shodan, and it is highly probable that a significant number are also currently vulnerable to attacks considering that this bug impacts all earlier firmware versions.
Volt Typhoon connections
While it didn't make any links to the recently disclosed Volt Typhoon attacks targeting critical infrastructure organizations across the United States, Fortinet did mention the possibility that the Chinese cyberespionage group could also target the CVE-2023-27997 flaw.
"At this time we are not linking FG-IR-23-097 to the Volt Typhoon campaign, however Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices," the company said.
"For this reason, Fortinet urges immediate and ongoing mitigation through an aggressive patching campaign."
Volt Typhoon is known for hacking into Internet-exposed Fortinet FortiGuard devices via an unknown zero-day vulnerability to gain access to the networks of organizations in a wide range of critical sectors.
The threat actors also use compromised routers, firewalls, and VPN appliances from multiple vendors to evade detection by ensuring their malicious activity blends in with legitimate network traffic.
Fortinet said today that they are primarily targeting devices unpatched againstCVE-2022-40684, an authentication bypass vulnerability in FortiOS / FortiProxy / FortiSwitchManager devices, for initial access.
However, just as previously mentioned, the threat actors are expected to also start abusing new vulnerabilities, as they are disclosed.