Fortinet Publishes Active Exploitation Blog - 20250411001¶
Overview¶
Fortinet have published a blog post relating to the discovery of active post exploitation techniques used by threat actors to highlight the targeting of known, unpatched vulnerabilities.
Fortinet have noted this specific finding is the result of a threat actor taking advantage of a known vulnerability with a new technique to maintain read-only access to vulnerable FortiGate devices after the original access vector was locked down.
What is vulnerable?¶
Product(s)¶
| Product(s) Affected | Version(s) |
|---|---|
| FortiOS | 7.6 prior to 7.6.2 7.4 prior to 7.4.7 7.2 prior to 7.2.11 7.0 prior to 7.0.17 All other versions prior to 6.4.16 |
CVE(s)¶
| CVE | CVSS | Vendor article | WA SOC Advisory |
|---|---|---|---|
| CVE-2022-42475 | 9.3 | FG-IR-22-398 | 20221213001 |
| CVE-2023-27997 | 9.2 | FG-IR-23-097 | 20230612001 |
| CVE-2024-21762 | 9.6 | FG-IR-24-015 | 20240311002 |
What has been observed?¶
CISA added this vulnerability in their Known Exploited Vulnerabilities catalog. The WA SOC has not received any reports of exploitation of this vulnerability on Western Australian Government networks at the time of writing.
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframes (refer Patch Management):
- Fortinet PSIRT Blog: https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity