Tens of thousands of IPs vulnerable to Fortinet flaw dubbed ‘must patch’ by feds

Around 87,000 IPs are likely susceptible to a Fortinet vulnerability that the Cybersecurity and Infrastructure Security Agency put on its “must patch” list last week because attackers are actively exploiting it, according to data from the nonprofit Shadowserver Foundation.

The number was at 87,930 on Saturday before dropping slightly to 86,602 on Sunday.

CISA placed the critical remote code execution vulnerability on its Known Exploited Vulnerability list, sometimes dubbed the “must patch” list because federal agencies are required to implement fixes and because the vulnerability has been seen being exploited in real scenarios rather than theoretical ones. For the Fortinet vulnerability, rated 9.8 on the vulnerability scale, CISA on Wednesday gave agencies until Oct. 30.

Fortinet released a fix for the flaw, which it discovered itself internally, back in February. But it noted that it “should be used as a mitigation and not as a complete workaround” because it would “reduce the attack surface but it won’t prevent the vulnerability from being exploited from this IP.”

According to the Shadowserver Foundation, the biggest number of likely vulnerable IPs as of Sunday were in Asia (37,778), followed by North America (21,262) and Europe (16,381).

CISA said it was unknown if the vulnerability was being used in ransomware attacks.
In June, the Dutch Military Intelligence and Security Service warned that a different Fortinet vulnerability had been exploited in a Chinese cyber espionage campaign that was “much larger than previously known.”