This is new information about previous exploitation of vulnerabilities in Fortinet FortiOS products: (CVE-2022-42474, CVE-2023-27997 and CVE-2024-21762).
Widespread exploitation has been identified dating back to as early as 2023, where a threat actor has been able to compromise vulnerable devices and maintain persistence even after patches were applied.
The compromise may have allowed the actor to access sensitive files from compromised devices including credentials and key material.
What’s happening
Systems affected
FortiOS products that had SSL-VPN functionality exposed during time of compromise (exploitation dates back to as early as 2023).
What this means
Threat actor has been able to compromise vulnerable devices and maintain persistence. The compromise may have allowed the actor to access sensitive files from compromised devices including credentials and key material.
What to look for
How to tell if you’re at risk
If you are using FortiOS products that had SSL-VPN functionality exposed during time of compromise (exploitation dates back to as early as 2023).
What to do
Prevention
Upgrade all devices to 7.6.2, 7.4.7, 7.2.11 & 7.0.17 or 6.4.16.
Review the configuration of all devices.
Treat all configuration as potentially compromised and follow the recommended steps below to recover: Technical Tip: Recommended steps to execute in cas… – Fortinet Community External Link
In addition to this, please refer to the vendor advisory for further information about the exploitation: Analysis of Threat Actor Activity | Fortinet Blog External Link .
More information
CVE