- Posted April 11, 2025
- Cyber Security Alerts
The NCSC would like to draw your attention to new information about previous exploitation of vulnerabilities in Fortinet FortiOS products: CVE-2022-42474(external link), CVE-2023-27997(external link) and CVE-2024-21762(external link).
Widespread exploitation has been identified dating back to as early as 2023, where a threat actor has been able to compromise vulnerable devices and maintain persistence even after patches were applied. The compromise may have allowed the actor to access sensitive files from compromised devices including credentials and key material.
We recommend organisations who may have had SSL-VPN functionality exposed during this time assume compromise and reset all credentials associated with these devices to reduce the risk of unauthorised access to their networks.
The NCSC recommends organisations that use the affected products review the vendor advisory(external link) for further information about this exploitation. In addition, the NCSC recommends organisations:
- Reset all credentials(external link) associated with the devices including user accounts, LDAP bind credentials and pre-shared keys,
- Apply the latest updates to remove the malicious file,
- Review logging for any evidence of unauthorised SSL VPN access,
- Review configurations for any unauthorised changes,
- Enable automatic updates (OS and AV/IPS),
- Disable SSL-VPN functionality if not required, or limit access to trusted IP ranges to reduce the attack surface,
- Disable administrative access to any external (Internet-facing) interface,
- Review network logging for known indicators of compromise.
For more NCSC NZ updates, follow us on LinkedIn(external link).