Security news that informs and inspires

Exploit Attempts Against Fortinet VPN Bug Surge

It has been six weeks since Fortinet warned that a new buffer overflow in its FortiOS SSL-VPN software had been exploited in some limited targeted attacks, and now the number of attempts to exploit the bug has spiked significantly, with more than 13.5 million attempts against the vulnerability recorded since early December.

Fortinet published an advisory about the flaw (CVE-2022-42475) on Dec. 12 and said that the company was aware that it had been exploited by at least one attacker. “A heap-based buffer overflow vulnerability in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests,” the Fortinet advisory says.

“Fortinet is aware of an instance where this vulnerability was exploited in the wild.”

Fortinet released updated versions of the affected software products to address the bug and urged organizations to patch, and everyone went on about their business. But in the weeks since following the holiday break, attackers have taken a renewed interest in the vulnerability. Data from GreyNoise, which tracks attack traffic and other Internet trends, shows that exploit attempts against the Fortinet bug began to increase quite a bit at the end of December and have continued ever since.

“Since the vulnerability’s announcement, GreyNoise has actively monitored for any activity potentially related to FortiGuard products. Beginning December 29th, 2022 GreyNoise observed a significant increase in credential brute force attempts against Fortinet SSL VPN,” GreyNoise said in a post Tuesday.

“GreyNoise is not aware of any publicly available Proof-of-Concept code for CVE-2022-42475 at this time.”

More than 260 unique IP addresses have attempted to exploit the vulnerability, according to GreyNoise’s data. Though there isn’t any publicly available exploit code at this point, there is a Metasploit module that targets it.

Organizations that have not updated their FortiOS SSL-VPN deployments should do so as soon as possible to avoid being targeted in the exploit attempts.