The U.S. Federal Bureau of Investigation (FBI) has disclosed that an unidentified threat actor has been exploiting a previously unknown weakness in the FatPipe MPVPN networking devices at least since May 2021 to obtain an initial foothold and maintain persistent access into vulnerable networks, making it the latest company to join the likes of Cisco, Fortinet, Citrix, Pulse Secure that have had their systems exploited in the wild.
“The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a web shell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity,” the agency said in an alert published this week. “Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.”
In other words, the zero-day vulnerability enables a remote attacker to upload a file to any location on the filesystem on an affected device. The security flaw impacts the web management interface of FatPipe WARP, MPVPN, and IPVPN router clustering and VPN load-balancing devices running software prior to the latest version releases 10.1.2r60p93 and 10.2.2r44p1.
The FBI, in its flash alert, noted that the threat actor leveraged the web shell to move laterally and strike additional U.S. infrastructure by setting up a malicious SSH service, following it up with a number of steps designed to hide the intrusions and protect their exploit until it’s needed again.
In an independent bulletin (FPSA006), FatPipe said that the bug stems from a lack of input validation mechanism for specific HTTP requests, thus enabling an attacker to exploit the issue by sending a specially crafted HTTP request to the affected device. While there are no workarounds that address the flaw, the company said it can be mitigated by disabling UI and SSH access on the WAN interface or configuring Access Lists to permit access only from trusted sources.