cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

ACSC issues urgent alert over Fortinet VPN vulnerability

The Australian Cyber Security Centre has issued an alert regarding a vulnerability discovered in Fortinet’s FortiOS VPN.

user icon Daniel Croft
Tue, 13 Dec 2022
ACSC issues urgent alert over Fortinet VPN vulnerability
expand image

The ACSC explained that the FortiOS SSL-VPN is used by organisations to allow users to remotely access a company network, including instances where staff are working from home.

Fortinet reported that a heap-based buffer overflow vulnerability that was found in multiple versions of the VPN could be exploited by a bad actor to gain control and execute unauthorised actions or crash the service company wide.

“A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests,” Fortinet reported.

While the ACSC has said that it is not aware of any instances in which Australian organisations had been impacted by the exploitation of the vulnerability, Fortinet has said that it has been used by bad actors in the wild.

Fortinet’s product security incident response team (PSIRT) has given the vulnerability a CVSS score of 9.3 out of 10, while the ACSC has released the warning as a “high alert”.

Fortinet released an emergency patch to cover the issue on Monday, which the ACSC has advised businesses to apply “immediately and investigate for signs of compromise”.

The ACSC has said it is currently monitoring the situation and advises those affected to contact them on 1300 292 371. In addition, the Fortinet PSIRT advisory can be found here.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.