More than 133,000 Fortinet devices remain vulnerable to a critical bug revealed in February 2024 affecting its FortiGate product, an analysis shows.
Figures of shadow servant show that despite calls for customers to patch CVE-2024-21762 As revealed last month, hundreds of thousands of devices exposed to the public Internet remain vulnerable.
With a CVSS score of 9.6, the out-of-bounds write vulnerability affects the SSL VPN component for the FortiGate network device and may allow an attacker to execute arbitrary code or commands via a specially crafted HTTP request.
CVE-2024-21762 was one of a series of critical vulnerabilities affecting Fortinet products revealed in February during what was a particularly turbulent week for the security giant.
The number of Fortinet devices vulnerable to CVE-2024-21762 was 150,000 just ten days ago, on March 7, and the latest figures from Shadowserver show that while customers are applying patches, they are not doing so quickly enough .
Nearly 55,000 vulnerable devices were located in Asia, representing the bulk of those that can still be exploited via the flaw. North America and Europe were the other two regions with significant portions of vulnerable Fortinet devices: 35,000 and 28,000 respectively.
Fortinet has warned customers that simply disabling web mode within FortiOS and FortiProxy is not a valid workaround, and that organizations running affected versions should disable SSL VPN.
Fortinet has had a difficult 2024 so far
CVE-2024-21762 was at the forefront of a difficult week for the security company in February, which saw a series of critical vulnerabilities revealed along with a media storm related to IoT-enabled toothbrushes.
Fortinet first came under fire for a story that warned about the possibility of attackers using IoT-enabled toothbrushes injected with malware to form a 3 million-strong botnet that could be used to carry out DDoS attacks.
Although it was disputed by Fortinet, a war of words ensued between the company and the Swiss newspaper in which the initial claim was published, creating a public relations disaster for Fortinet that was not helped by the disclosure of three critical vulnerabilities, including CVE -2024-21762. .
Analysis of the Assetnote attack surface management platform noted Fortigate is widely deployed among organizations around the world and therefore a pre-authentication RCE vulnerability like CVE-2024-21762 could have significant consequences.
Assetnote researchers said they found little information in terms of indicators of compromise (IOC) for CVE-2024-21762, but suggested that keeping an eye out for any new Node.js processes could be beneficial considering this is not the first exploit of FortiGate that uses this technique.
The firm also added that this is far from a novel security vulnerability, as it is another example of a network device having serious memory corruption issues, noting that it is once again up to administrators to ensure they are enforcing mitigations where provided.
“As is often the case with these problems, the mitigations are known, what matters is whether they are applied or not”
