Fortinet VPN Vulnerability: A Threat to All Organizations

Author

Reads 553

Network rack
Credit: pexels.com, Network rack

Fortinet VPN vulnerability is a serious threat to all organizations, and it's essential to understand the extent of the issue. In March 2022, a critical vulnerability was discovered in Fortinet's VPN, which could allow attackers to gain unauthorized access to sensitive data.

The vulnerability, known as CVE-2022-42475, affects Fortinet's FortiOS operating system, which is widely used by organizations around the world. This means that nearly every organization that uses Fortinet's VPN could be at risk.

The vulnerability is caused by a buffer overflow in the FortiOS operating system, which can be exploited by attackers to execute arbitrary code. This allows them to gain access to sensitive data, disrupt operations, and even take control of the entire network.

Here's an interesting read: How Much Data Do Security Cameras Use

Impact and Risks

If your organization uses FortiClient version 7.2.4.0972 or earlier, you may be affected by Fortinet vulnerabilities CVE-2024-47574.

FortiClient version 7.2.4.0972 and earlier are vulnerable to this issue, so it's essential to check your software version.

This vulnerability could potentially allow attackers to gain unauthorized access to your network, so it's crucial to take action to protect yourself.

Brute-Force Attacks

Credit: youtube.com, How Brute-Force Attacks Stay Undetected (Tools, Tactics & Real Threats)

A spike in brute-forcing attempts targeting Fortinet SSL VPN was recorded on August 3, 2025, by GreyNoise.

The activity was linked to a FortiGate device on a residential IP address associated with Pilot Fiber Inc.

GreyNoise noted that this overlap doesn't confirm attribution, but suggests possible reuse of tooling or network environments.

The attackers switched targeting from FortiOS SSL VPN endpoints to FortiManager's FGFM service two days later, on August 5.

This shift suggested that either the same attackers or the same toolset/infrastructure moved from trying to brute-force VPN logins to trying to brute-force FortiManager access.

Defenders should block the listed IPs, which are:

  • 31.206.51.194
  • 23.120.100.230
  • 96.67.212.83
  • 104.129.137.162
  • 118.97.151.34
  • 180.254.147.16
  • 20.207.197.237
  • 180.254.155.227
  • 185.77.225.174
  • 45.227.254.113

to prevent further attacks.

Does It Apply To My Organization?

If your organization uses FortiClient version 7.2.4.0972 or earlier, you may be affected by Fortinet vulnerabilities CVE-2024-47574.

FortiClient versions 7.2.4.0972 or earlier have a known vulnerability, so it's essential to check your version to determine if you're at risk.

The specific vulnerability affects FortiClient versions prior to 7.2.4.0972, which means you're likely safe if you're using a more recent version.

However, if you're still using an older version, it's crucial to take immediate action to protect your organization from potential security threats.

Analysis and Mitigation

Credit: youtube.com, Critical Fortinet Vulnerability: FortiSIEM and SSL VPNs Under Attack

Field Effect's Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities, including those in Fortinet software and devices. They automatically notify MDR users if a vulnerable version is detected in their environment.

To mitigate the risk, Field Effect recommends restricting internet access to affected VPNs to trusted IP addresses. This is crucial until a patch is released.

Field Effect also provides a platform, the Field Effect Portal, where users can review Action Required Objects (AROs) related to vulnerabilities. This allows users to stay informed and take prompt action to secure their systems.

Analysis

Fortinet devices have a long history of being plagued with vulnerabilities, many of which are exploited as zero-days. This is concerning, especially given the widespread deployment of these devices.

In October 2024, a separate zero-day vulnerability designated CVE-2024-47575 and since dubbed "FortiJump", enabled threat actors to execute arbitrary commands on FortiManager servers and devices through the FortiGate to FortiManager (FGFM) protocol API. This resulted in the exfiltration of sensitive configuration data from over 50 servers.

Credit: youtube.com, Risk Matrix

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors were actively exploiting a critical vulnerability in several Fortinet devices, which was previously disclosed and patched in February 2024. This highlights the importance of timely patching and vulnerability management.

In June 2024, the Dutch Military Intelligence and Security Service (MIVD) advised that a China-linked threat actor leveraged another critical FortiOS RCE vulnerability, designated CVE-2022-42475. As a result, 20,000 FortiGate network security appliances were compromised with malware between 2022 and 2023.

The frequency of these vulnerabilities suggests that Fortinet's code review and proactive vulnerability discovery practices need improvement. This is unlikely to change unless the company implements significant changes.

Here are some notable vulnerabilities and their impact:

Mitigation

Field Effect's Security Intelligence professionals are constantly on the lookout for vulnerabilities in devices and software, including Fortinet-developed ones. They monitor the cyber threat landscape to stay ahead of potential issues.

If a vulnerable version of Fortinet software or device is detected in your environment, you'll receive an automatic notification from Field Effect MDR. This alert will encourage you to review the associated risk and operational (ARO) reports as soon as possible via the Field Effect Portal.

Field Effect strongly recommends restricting internet access to affected VPNs to trusted IP addresses. This will help prevent any potential security breaches.

Monitoring for suspicious activity is also crucial until a patch is released. This will help you identify and address any issues before they become major problems.

Explore further: Telegram Hacking Software

Ssl Vpn Vulnerabilities

Credit: youtube.com, Fortinet SSL VPN Under Attack: Brute-Force Attempts Surge Worldwide

Fortinet's SSL VPN implementation had its fair share of vulnerabilities. Two of them directly affected the FortiOS SSL VPN web portal, allowing potential security breaches.

CVE-2018-13379, also known as FG-IR-18-384, is a path traversal vulnerability that could allow an unauthenticated attacker to download files through specially crafted HTTP resource requests.

CVE-2018-13383, or FG-IR-18-388, is a heap buffer overflow vulnerability that could cause the SSL VPN web service to terminate for logged-in users and potentially allow remote code execution on FortiOS.

An authenticated user would need to visit a specifically crafted and proxied webpage to exploit this vulnerability.

In addition to these vulnerabilities, a "magic" string value was inadvertently bundled into the general FortiOS release, enabling an Improper Authorization vulnerability.

This vulnerability, CVE-2018-13382 (FG-IR-18-389), allowed an unauthenticated attacker to change the password of an SSL VPN web portal user using specially crafted HTTP requests.

Here are the affected vulnerabilities:

  • CVE-2018-13379 (FG-IR-18-384) - Path traversal vulnerability
  • CVE-2018-13383 (FG-IR-18-388) - Heap buffer overflow vulnerability
  • CVE-2018-13382 (FG-IR-18-389) - Improper Authorization vulnerability

Remediation and Prevention

Fortinet has released patches for the CVE-2018-13379, CVE-2018-13383, and CVE-2018-13382 vulnerabilities, which have been removed from the FortiOS code base.

Credit: youtube.com, CVE-2018-13382: Critical Vulnerability in Fortinet FortiOS SSL VPN

These patches have been released for all affected versions of FortiOS, and FortiGuard signatures have been deployed to monitor attack traffic worldwide.

FortiGuard Labs actively monitors attack activity and will provide additional updates when necessary.

Fortinet urges customers to implement all appropriate patch updates and signatures, with a firmware upgrade still the primary recommended solution.

Automated monitoring of the vulnerability landscape is done via web and mailing lists crawlers by FortiGuard Labs.

For your interest: Fortinet Fortiguard

Frequently Asked Questions

Is Fortinet VPN secure?

Fortinet Universal ZTNA provides robust security features, including ongoing verification and granular access control, to ensure secure access for users regardless of location

Is Fortinet removing SSL VPN?

Fortinet is removing support for SSL VPN tunnel mode to reduce the attack surface and encourage customers to transition to a more secure alternative. This change aims to mitigate security risks associated with SSL VPNs.

Francisco Parker

Assigning Editor

Francisco Parker is a seasoned Assigning Editor with a keen eye for compelling content. With a passion for storytelling, Francisco has spent years honing his skills in the journalism industry, where he has developed a keen sense of what readers want to know. Throughout his career, Francisco has assigned articles on a wide range of topics, including SEO Strategies, where he has helped readers navigate the ever-changing landscape of online search and optimization.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.