Fortinet says hackers exploited critical vulnerability to infect VPN customers

A cake made to resemble FortiGate hardware.

reader comments
21 with 0 posters participating

An unknown threat actor abused a critical vulnerability in Fortinet’s FortiOS SSL-VPN to infect government and government-related organizations with advanced custom-made malware, the company said in an autopsy report on Wednesday.

Tracked as ​​CVE-2022-42475, the vulnerability is a heap-based buffer overflow that allows hackers to remotely execute malicious code. It carries a severity rating of 9.8 out of a possible 10. A maker of network security software, Fortinet fixed the vulnerability in version 7.2.3 released on November 28 but failed to make any mention of the threat in the release notes it published at the time.

Mum’s the word

Fortinet didn’t disclose the vulnerability until December 12, when it warned that the vulnerability was under active exploit against at least one of its customers. The company urged customers to ensure they were running the patched version of the software and to search their networks for signs the vulnerability had been exploited on their networks. FortiOS SSL-VPNs are used mainly in border firewalls, which cordon off sensitive internal networks from the public Internet.

On Wednesday, Fortinet provided a more detailed account of the exploit activity and the threat actor behind it. The post, however, provided no explanation for the failure to disclose the vulnerability when it was fixed in November. A company spokesperson declined to answer questions sent by email about the failure or what the company’s policy is for disclosure of vulnerabilities.

“The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets,” Fortinet officials wrote in Wednesday’s update. They continued:

  • The exploit requires a deep understanding of FortiOS and the underlying hardware.
  • The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS.
  • The actor is highly targeted, with some hints of preferred governmental or government-related targets.
  • The discovered Windows sample attributed to the attacker displayed artifacts of having been compiled on a machine in the UTC+8 timezone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries.
  • The self-signed certificates created by the attackers were all created between 3 and 8 am UTC. However, it is difficult to draw any conclusions from this given hackers do not necessarily operate during office hours and will often operate during victim office hours to help obfuscate their activity with general network traffic.

An analysis Fortinet performed on one of the infected servers showed that the threat actor used the vulnerability to install a variant of a known Linux-based implant that had been customized to run on top of the FortiOS. To remain undetected, the post-exploit malware disabled certain logging events once it was installed. The implant was installed in /data/lib/libips.bak path. The file may be masquerading as part of Fortinet’s IPS Engine, located at /data/lib/ The file /data/lib/ was also present but had a file size of zero.


The company said additional malicious payloads used in the attacks couldn’t be retrieved.

Article Tags:
Article Categories: