Craig Pepper
February 12, 2024

Threat Report 12.02.24

Critical Security Alert: FortiOS SSL VPN Vulnerability Exposed

Fortinet has recently announced a critical security flaw within its FortiOS SSL VPN technology, identified as CVE-2024-21762, which possesses a CVSS severity rating of 9.6. This vulnerability enables unauthorised code or command execution through specially crafted HTTP requests due to an out-of-bounds write issue (CWE-787), signalling a significant risk of active exploitation by malicious actors.

The flaw affects several versions of FortiOS, but notably, FortiOS 7.6 remains unaffected. Users of FortiOS versions 7.4 (from 7.4.0 to 7.4.2), 7.2 (from 7.2.0 to 7.2.6), 7.0 (from 7.0.0 to 7.0.13), 6.4 (from 6.4.0 to 6.4.14), 6.2 (from 6.2.0 to 6.2.15), and all versions of FortiOS 6.0 are urged to upgrade or migrate to secured releases immediately.

This vulnerability disclosure coincides with Fortinet's patches for additional security flaws (CVE-2024-23108 and CVE-2024-23109) in FortiSIEM supervisor, which similarly permit unauthorised command execution via manipulated API requests.

Recent events have highlighted the exploitation of Fortinet's vulnerabilities by state-sponsored actors and criminal groups, including a significant breach involving Chinese actors targeting Dutch military networks and the persistent cyber espionage activities of the Volt Typhoon group against critical infrastructure in the U.S. These incidents underscore the heightened risk to internet-facing devices, particularly those lacking comprehensive endpoint detection and response (EDR) capabilities.


Unauthorised Access and Data Breach: Exploitation of CVE-2024-21762 can lead to unauthorised access to sensitive data, potentially resulting in data breaches.

Malware Infection: Compromised systems may serve as entry points for malware, including backdoors and spyware, facilitating further exploitation.

Operational Disruption: Critical operations and services may be disrupted due to unauthorised command executions.

Reputational Damage: Security breaches can significantly damage the reputation of affected organisations, impacting customer trust and business continuity.


Immediate Patching: Urgently apply the recommended updates or migrate to secured releases to mitigate the vulnerability.

Enhanced Monitoring: Implement enhanced monitoring of network traffic and system logs for suspicious activities indicative of exploitation attempts.

Security Awareness: Educate staff on the importance of cybersecurity hygiene and the potential indicators of compromise.

Incident Response Plan: Ensure an updated and tested incident response plan is in place to quickly address any potential breaches.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the severity of CVE-2024-21762 by including it in its Known Exploited Vulnerabilities catalogue, mandating Federal Civilian Executive Branch (FCEB) agencies to secure their networks by February 16, 2024. This directive underscores the criticality of immediate action to safeguard against these vulnerabilities.

Critical Security Advisory: Ivanti Authentication Bypass Vulnerability Alert

Ivanti has issued a warning to its customers about a newly discovered high-severity vulnerability within its Connect Secure, Policy Secure, and ZTA gateway products. This flaw, identified as CVE-2024-22024 with a CVSS score of 8.3, poses a significant security risk by enabling attackers to bypass authentication mechanisms.

The vulnerability stems from an XML External Entity (XXE) issue in the SAML component of Ivanti Connect Secure (versions 9.x, 22.x), Ivanti Policy Secure (versions 9.x, 22.x), and ZTA gateways, potentially granting unauthorised access to restricted resources. Ivanti's advisory comes after an internal review highlighted this flaw amidst an investigation into several vulnerabilities identified since the beginning of the year, including CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.

Affected versions include:

Ivanti Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1

Ivanti Policy Secure version 22.5R1.1

ZTA version 22.6R1.3

Ivanti has released patches for these vulnerabilities in updated versions of the affected products, urging users to apply these fixes immediately to mitigate the risk of exploitation.


Unauthorised Access: The vulnerability may allow unauthorised parties to access sensitive information or restricted areas of the network, leading to potential data breaches.

Service Disruption: Exploitation of this flaw could disrupt services by overwhelming systems with malicious requests.

Exploitation of Other Vulnerabilities: The presence of this flaw could facilitate the exploitation of other vulnerabilities within the network, compounding the security risk.


Prompt Patching: Administrators should immediately apply the provided patches to vulnerable devices to close the security gap.

Regular Updates: Ensure that all security devices and software are regularly updated to protect against newly discovered vulnerabilities.

Enhanced Security Measures: Implement additional security layers, such as multi-factor authentication and network segmentation, to reduce the risk of unauthorised access.

Vigilant Monitoring: Monitor network activity for signs of unusual or unauthorised behaviour that may indicate an attempted or successful exploitation of this vulnerability.

Cybersecurity firm watchTowr disclosed CVE-2024-22024 to Ivanti in early February 2024, highlighting the flaw due to an incorrect fix for a previously identified vulnerability (CVE-2024-21893). The potential impacts of this flaw include denial of service (DoS), local file read access, and server-side request forgery (SSRF), depending on the available protocols and network configuration.

Although there is currently no evidence of active exploitation, the historical abuse of related vulnerabilities underscores the importance of swift action to apply the latest security patches. By taking proactive measures to update and secure their networks, users can significantly mitigate the risks posed by CVE-2024-22024 and protect their systems from potential compromise.

Security Incident Update: Detailed Insights on AnyDesk's Recent Cyber Attack

AnyDesk, the developer behind the widely-used remote access software, has recently revealed additional details regarding a cybersecurity breach that compromised its systems. The attack, which was first detected in mid-January, originated from unauthorised access in late December 2023, highlighting the sophisticated nature of the intrusion.

The forensic analysis conducted by AnyDesk has confirmed that the hackers were able to compromise production systems. However, there is reassuring news for users: there is no evidence to suggest that customer credentials were stolen or that compromised versions of the AnyDesk software were distributed to users. The company has thoroughly reviewed its codebase and confirmed the absence of any malicious modifications, and the non-distribution of any tainted software through its systems.

In response to the breach, AnyDesk is taking rigorous measures, including the revocation of code-signing and security-related certificates, followed by the distribution of software updates incorporating new certificates. Despite the low likelihood of user credential theft, AnyDesk is erring on the side of caution and has mandated a password reset for all customers to further safeguard their accounts.

The investigation identified that two European relay servers, which facilitate the transmission of credentials within the AnyDesk client, were compromised. This breach raised concerns over the theoretical risk of attackers rewriting AnyDesk's code to deceive users into using malicious software for credential theft. However, AnyDesk has confidently excluded the possibility of user session hijacking stemming from this incident, reinforcing the specific nature of the attack.

Clarifying further, AnyDesk confirmed that the incident was not related to a ransomware attack nor did it involve any extortion attempts. Additionally, reports circulating about user credentials being sold on the dark web have been clarified as unrelated to this breach. These credentials were identified as stolen directly from customer systems by information-stealing malware, not from AnyDesk's databases. The proactive step of initiating a forced password reset aims to mitigate risks for customers potentially affected by such malware, enhancing overall security.


Promptly Reset Passwords: Users should immediately follow the forced password reset initiated by AnyDesk to ensure account security.

Update Software: Ensure that AnyDesk software is updated to the latest version that includes the new security certificates.

Enhance Security Measures: Users are advised to implement additional security layers, such as two-factor authentication, to further protect their accounts.

Stay Informed: Follow updates from AnyDesk for any further recommendations or security advisories related to this incident.

Malware Protection: Regularly scan systems for malware, especially those known for stealing information, to prevent unauthorised access to sensitive information.

Read similar blogs