In order to address a critical vulnerability in its FortiOS SSL-VPN product, Fortinet released an emergency patch on Monday. The company cautioned that the vulnerability has already been actively used by hackers.
The bug is a memory corruption that lets a “remote unauthenticated attacker” run malicious code or issue commands on a target system, according to a critical-level advisory from Fortinet. The company cautioned that a heap-based buffer overflow flaw [CWE-122] in FortiOS SSL-VPN could allow a remote, unauthenticated attacker to execute arbitrary code or commands through carefully constructed requests.
Fortinet cautioned that the vulnerability has already been used in the wild, underscoring the urgency.