According to a joint report released by CISA, FBI, and U.S. Cyber Command (USCYBERCOM) on September 7, 2023, state-sponsored hacking groups have recently exploited critical vulnerabilities in Zoho and Fortinet software to penetrate U.S. aviation agencies. The hackers gained unauthorized access to the organization’s network by exploiting the disclosed Zoho application vulnerability (CVE-2022-47966) and the Fortinet vulnerability (CVE-2022-42475). While the attackers have not been definitively identified, USCYBERCOM indicated that this attack may be associated with an Iranian hacking group.

Exploiting Unpatched Fortinet Vulnerability CVE-2022-42475

Hacking groups primarily target devices with unpatched vulnerabilities among those exposed on the internet. One of the vulnerabilities exploited in the attack, CVE-2022-42475, is a heap-based buffer overflow vulnerability affecting various versions of Fortinet SSL-VPN. It allows for the remote execution of arbitrary code or commands, posing a severe threat. Exploiting this vulnerability allows attackers to penetrate deeper into the internal systems of corporations and organizations through hacked network infrastructure components.

After this vulnerability was detected, Fortinet officially announced security recommendations and patch versions. However, even after nine months since the patch released, numerous devices are still left unpatched and hackers continue to exploit this vulnerability. 

Criminal IP에 탐지된 노출된 포티넷 장치의 IP 주소. CVE-2022-42475 취약점을 포함한 58개 취약점이 발견됐다
The detected IP address of exposed Fortinet devices on Criminal IP: A total of 58 vulnerabilities were found, including CVE-2022-42475

Thousands of Fortinet SSL-VPN Devices Affected by CVE-2022-42475

The following is the search result of Fortinet SSL-VPN devices vulnerable to CVE-2022-42475 using the ‘cve_id’ filter within Criminal IP Asset SearchApproximately 3,000 devices with this vulnerability have been identified among the exposed Fortinet SSL-VPN devices.

Search Query: cve_id: CVE-2022-42475

The search result of Fortinet SSL-VPN devices vulnerable to CVE-2022-42475 using the ‘cve_id’ filter within Criminal IP Asset Search

Additionally, it has been confirmed that a total of 124 countries are using Fortinet SSL-VPN vulnerable to CVE-2022-42475. Among the results, the United States had the highest count with 466, followed by India with 232, and Taiwan with 166.

Statistics of countries using Fortinet SSL-VPN vulnerable to CVE-2022-42475 detected by Criminal IP

Recommendations for Unpatched Vulnerability

Below are the security check recommendations for CVE-2022-47966 and CVE-2022-42475 by CISA. Detailed guidance can be found in CISA’s report.

  • Manage vulnerabilities and configurations
  • Segment networks
  • Manage accounts, permissions, and workstations
  • Secure remote access software
  • Other best practice mitigation recommendations

Check out our article that discusses the patch delay issue with the Fortinet firewall vulnerability.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. 
Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence.

Source: Criminal IP (https://www.criminalip.io/en)

Related Article(s): 

Critical Patch Delay CVE-2023-27997: Over 4.6K Vulnerable FortiGate Firewalls
[/fusion_text][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]