The Cybersecurity and Infrastructure Security Agency (CISA) has raised alarms about two critical vulnerabilities within Fortinet products, marking a significant concern for cybersecurity defenders nationwide. The advisories highlighted the urgency of addressing these vulnerabilities, particularly CVE-2024-21762, which affects FortiOS SSL VPN and is critical with a severity score of 9.6 out of 10. This vulnerability allows attackers to execute arbitrary code or commands.
Fortinet disclosed these vulnerabilities, urging users to upgrade to the latest versions to mitigate risks. In an unprecedented move, CISA mandated federal civilian agencies to patch the CVE-2024-21762 issue within a week, a timeline significantly shorter than the typical three-week window. Meanwhile, CVE-2024-23313, another vulnerability with a higher severity rating of 9.8, was also disclosed but is not believed to be actively exploited. These developments come amid reports of Chinese state-sponsored hackers exploiting Fortinet devices.
Why it matters: The disclosure and immediate action required in response to these vulnerabilities underscore the critical nature of cybersecurity in safeguarding national infrastructure and sensitive information.
- With CVE-2024-21762 receiving a 9.6 and CVE-2024-23313 a 9.8 out of 10 in severity scores, these vulnerabilities present a significant threat to the security of federal agencies and potentially private sector organizations utilizing Fortinet products.
- The vulnerabilities are particularly concerning due to their potential exploitation by nation-state actors, as evidenced by the Dutch Ministry of Defence’s report and the advisory about the Chinese hacker group Volt Typhoon.
- Given Fortinet’s widespread use among governments and critical infrastructure sectors, the exploitation of these vulnerabilities could have significant implications for national security and critical services.
Go Deeper -> CISA warns Fortinet zero-day vulnerability under attack – TechTarget
CISA warns of Fortinet bug likely being exploited in the wild – The Record