FortiGate Zero-Day Vulnerability - CVE-2022-42475

THE THREAT

eSentire is aware of reports of attacks in the wild exploiting the Fortinet FortiOS SSL-VPN vulnerability CVE-2022-42475 (CVSS: 9.3).

FortiGate Labs disclosed the vulnerability on December 12th. It is tracked as a remote execution of unauthorized code or commands vulnerability. Exploitation could allow a threat actor to gain initial access to victim organizations and spread laterally within the network.

While Fortinet has confirmed attacks in the wild, there is currently no public release of Proof-of-Concept (PoC) exploit code. However, upon release, the eSentire Threat Intelligence assesses with high confidence that it is expected to increase attacks in the immediate future. All organizations using Fortinet SSL-VPN are strongly recommended to apply the relevant security patches immediately to reduce the likelihood of exploitation.

What we’re doing about it

• eSentire Managed Vulnerability Service (MVS) has plugins in place to identify this vulnerability
• The eSentire Threat Response Unit (TRU) has performed threat hunts across the eSentire client base for known signs of exploitation
• eSentire MDR for Log detections have been created and will be deployed shortly
• The eSentire Threat Intelligence team is tracking this vulnerability for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant security patches
• Fortinet has released Indicators of Compromise (IoCs) that may be checked to validate if an attack, using known indicators, exploiting the vulnerability has occurred

Additional information

CVE-2022-42475 was initially patched for Fortinet in November 2022, although the vulnerability was not disclosed at the time. Fortinet only released information on the vulnerability after a French cybersecurity company publicly identified it on December 9th. Details on real-world exploitation have not been made public at this time.

eSentire has recently observed threat actors selling and buying compromised Fortinet devices in the darkweb markets. Sales of compromised Fortinet devices by hackers ranged from individual organizations to bulk purchases. At this time, it is unclear what vulnerability hackers are exploiting to gain access to these devices. It is possible the increase in darkweb marketplace offerings is related to CVE-2022-42475 exploitation or the October Fortinet authentication bypass vulnerability CVE-2022-40684.

Confirmed Vulnerable Products:

• FortiOS version 7.2.0 through 7.2.2
• FortiOS version 7.0.0 through 7.0.8
• FortiOS version 6.4.0 through 6.4.10
• FortiOS version 6.2.0 through 6.2.11
• FortiOS version 6.0.0 through 6.0.15
• FortiOS version 5.6.0 through 5.6.14
• FortiOS version 5.4.0 through 5.4.13
• FortiOS version 5.2.0 through 5.2.15
• FortiOS version 5.0.0 through 5.0.14
• FortiOS-6K7K version 7.0.0 through 7.0.7
• FortiOS-6K7K version 6.4.0 through 6.4.9
• FortiOS-6K7K version 6.2.0 through 6.2.11
• FortiOS-6K7K version 6.0.0 through 6.0.14

References:

[1] https://www.fortiguard.com/psirt/FG-IR-22-398
[2] https://olympecyberdefense.fr/vpn-ssl-fortigate/
[3] https://www.esentire.com/security-advisories/actively-exploited-fortinet-authentication-bypass-vulnerability-cve-2022-40684