Fortinet Releases Advisory on New Post-Exploitation Technique for Known Vulnerabilities

Fortinet is aware of a threat actor creating a malicious file from previously exploited Fortinet vulnerabilities (CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475) within FortiGate products. This malicious file could enable read-only access to files on the device's file system, which may include configurations. Fortinet has communicated directly with the account holders of customers identified as impacted by this issue based on the available telemetry with mitigation guidance.

See the following resource for more information:

• Analysis of Threat Actor Activity | Fortinet Blog

CISA encourages administrators to review Fortinet’s advisory and:

• Upgrade to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16 to remove the malicious file and prevent re-compromise.
• Review the configuration of all in-scope devices.
• Reset potentially exposed credentials.
• As a work-around mitigation until the patch is applied, consider disabling SSL-VPN functionality, as exploitation of the file requires the SSL-VPN to be enabled.

For more mitigation information: Recommended steps to execute in case of a... - Fortinet Community.

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.