Fortinet says VPN bug ‘may have been exploited in a limited number of cases’

Network security company Fortinet said a new vulnerability affecting its VPN tool may have already been exploited “in a limited number of cases.”

Concerns about the issue — tracked as CVE-2023-27997 — grew over the weekend due to how widely used Fortinet’s SSL-VPN product is among government organizations.

The bug allows hackers to run unauthorized code or commands remotely on the affected system. Fortinet fixed the issue in an update released last week.

In a blog on Monday, Fortinet said it was notified of the issue by Lexfo Security vulnerability researchers Charles Fol and Dany Bach, but added that the company’s own audit of the SSL-VPN product also uncovered the same vulnerability.

“This audit, together with a responsible disclosure from a third-party researcher, led to the identification of certain issues that have been remediated in the current firmware releases,” the company said.

“Our investigation found that one issue [CVE-2023-27997] may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation.”

In a statement to Recorded Future News, the company reiterated that its been “proactively communicating” with customers and “strongly urging them to immediately follow the guidance provided to mitigate the vulnerability using either the provided workarounds or by upgrading.”

Fortinet said that the hacking campaign was “targeted at government, manufacturing, and critical infrastructure.” The company also dispelled concerns that the vulnerability was being exploited by Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering.

Christopher Glyer of the Microsoft Threat Intelligence Center questioned on Sunday whether the vulnerability was used in the headline-grabbing attacks by Volt Typhoon on critical infrastructure in Guam that were unveiled last month.

Fortinet addressed the theory in its blog, writing that it is not currently linking the vulnerability to the Volt Typhoon campaign but “expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices.”

The New York Times reported that the infrastructure compromised by the Chinese group included the telecommunications network of Guam, a U.S. territory in the Pacific Ocean described by the Department of Defense as “a strategic hub supporting crucial operations and logistics for all U.S. forces operating in the Indo-Pacific region.”

The cybersecurity agencies of the U.S., Australia and New Zealand released advisories about the issue on Monday, warning organizations to immediately apply the patch. The Cybersecurity and Infrastructure Security Agency added the vulnerability to its catalog of exploited vulnerabilities on Tuesday.

A patch for the issue was included in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.

Tenable’s Satnam Narang told Recorded Future News that over the past five years, there has been a persistent trend of vulnerabilities in SSL VPN products such as those from Citrix, Pulse Secure and Fortinet being targeted.

“These flaws have not only been exploited by ransomware groups but also by nation-state aligned threat actors with a particular focus on flaws in Fortinet devices. SSL-VPNs are attractive targets due to their internet-facing nature, providing access to a company’s intranet,” he said.

“They became even more popular at the beginning of the pandemic, as organization’s shifted towards allowing for remote work. Pre-authentication flaws are especially valuable to a remote attacker, because it doesn’t require them to already have valid credentials.”

Narang warned that once a proof-of-concept exploit for this flaw is made public, defenders should expect more widespread scanning and exploitation of vulnerable assets.