Connect with us

Hi, what are you looking for?



Fortinet: APTs Exploiting FortiOS Vulnerabilities in Critical Infrastructure Attacks

Fortinet warns that Chinese and other APTs are exploiting CVE-2022-42475 and CVE-2023-27997 in attacks.

Fortinet warned organizations on Wednesday that APTs linked to China and other countries have been exploiting two known FortiOS vulnerabilities in attacks aimed at various sectors, including critical infrastructure.

One of the exploited vulnerabilities is CVE-2022-42475, which Fortinet patched in December 2022, when it warned that it had been aware of in-the-wild exploitation. Chinese threat actors had exploited the flaw as a zero-day in attacks aimed at government and other types of organizations.   

The second vulnerability described in Fortinet’s new warning is CVE-2023-27997, which came to light in June 2023, when the cybersecurity firm informed customers that it had been exploited as a zero-day in limited attacks. 

Fortinet noted on Wednesday that some customers have yet to patch the two FortiOS vulnerabilities and the company has seen several attacks and attack clusters, including ones aimed at the government, service provider, manufacturing, consultancy, and critical infrastructure sectors. 

The company has shared technical details and indicators of compromise (IoCs) to help organizations detect and investigate attacks.

The collected evidence suggests that these attacks may have been conducted by the Chinese threat groups tracked as Volt Typhoon, APT15, and APT31. 

Volt Typhoon is believed to have hacked into the networks of many organizations. In a new alert coinciding with Fortinet’s analysis, the US security agency CISA said the Chinese hackers are “pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions.” 

CISA also found “indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.” 

Advertisement. Scroll to continue reading.

In addition to vulnerable Fortinet devices, Volt Typhoon has been known to target Cisco and Netgear products.

Fortinet also noted on Wednesday that some of the attacks exploiting the FortiOS vulnerabilities may have been conducted by UNC757, a threat actor previously linked to Iran. 

Related: Fortinet Patches Critical Vulnerabilities in FortiSIEM

Related: Fortinet Patches High-Severity Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.


In a campaign called Volt Typhoon, Microsoft says Chinese government hackers were siphoning data from critical infrastructure organizations in Guam, a U.S. territory in...


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea...