Fortinet is warning customers to apply security upgrades after a critical vulnerability was found in FortiOS SSL-VPN that could allow a remote authenticated attacker to execute arbitrary commands and take control of a targeted system.
A heap-based buffer overflow vulnerability, CVE-2022-42475, could allow a remote attacker to take over an affected system, Fortinet said. There is at least one case where the vulnerability was exploited in the wild.
A spokesperson for the company said Fortinet is “committed to the security of our customers,” who have been notified through the PSIRT advisory process to follow the guidance provided and continue to monitor the situation.
Claire Tills, senior research engineer at Tenable, said that Fortinet SSL VPNs have been a target of threat actors for years. The FBI and Cybersecurity and Infrastructure Security Agency put out advisories about these flaws in 2021, Tills said.
Fortinet has had a spate of severe vulnerarabilities of late. CISA added multiple Fortinet products to its Known Exploited Vulnerabilities catalog in October under CVE-2022-40684, which had a CVSS score of 9.6.
The most recent vulnerability was disclosed within the last few days by a French cybersecurity firm Olympe Cyberdefense.
A product such as FortiOS SSL-VPN is designed to act as a bridge between the external internet and internal organizational resources, according to Glenn Thorpe, program manager, emergent threat response at Rapid7. It essentially exists on the internal network and the external internet, he said.
A vulnerability such as this allows an unauthenticated attacker to execute their own code, “means that, not only is this device unable to perform its intended function of only allowing authenticated and authorized users access to internal resources, but it is now providing a pathway for an attacker to gain the very access this device is designed to protect against,” Thorpe said.