Thousands of Fortinet instances vulnerable to actively exploited flaw

More than 86,000 Fortinet instances remain vulnerable to the critical flaw that attackers started exploiting last week, according to Shadowserver's data.

The most recent count taken from Sunday put the number of IPs vulnerable to the bug at 86,602 – a slight decrease from 87,930 the day before.

The internet security biz's data showed the majority of those appliances are located in Asia (38,778), followed, though not closely, by North America (21,262) and Europe (16,381).

CVE-2024-23113 was first disclosed in February, but the bad guys had been too busy experimenting with other critical bugs that were fixed around the same time.

For reasons unknown, the vulnerability has only recently caught the attention of attackers. The US's Cybersecurity and Infrastructure Security Agency (CISA) broke the news it was being actively exploited last week by adding it to the Known Exploited Vulnerabilities (KEV) catalog.

Security flaws are only added to the KEV catalog when the agency knows that a vulnerability is both being actively exploited and poses a serious threat to the security of federal civilian executive branch (FCEB) agencies.

• CISA adds fresh Ivanti vuln, critical Fortinet bug to hall of shame
• Fortinet admits miscreant got hold of customer data in the cloud
• China's FortiGate attacks more extensive than first thought
• More than 133,000 Fortinet appliances still vulnerable to month-old critical bug

These agencies received the usual 21-day window in which to address the vulnerability. That means they either have to upgrade to a safe version, or disconnect the affected appliance until a fix can be applied.

The status of whether the vulnerability is being used in ransomware attacks remains "unknown," as it was last week.

Carrying a CVSS v3 severity rating of 9.8, the remote code execution vulnerability is about as serious as they come. The assessment of CVE-2024-23113 concluded any successful exploit would have a high impact on data confidentiality, system integrity, and service availability, and required no privileges or user interaction to pull it off.

Affecting various versions of FortiOS, FortiPAM, FortiProxy, and FortiWeb, admins are advised to upgrade to unaffected releases or implement the mitigations outlined in Fortinet's advisory.

The mitigation involves removing the fgfm daemon access for every vulnerable interface, although this will prevent FortiManager from discovering FortiGate devices. ®