APT Actors Exploited FatPipe VPN Zero-Day Since May – FBI Flash Alert

Advanced persistent threat (APT) actors have been exploiting a zero-day bug in FatPipe VPN. According to a Federal Bureau of Investigation (FBI) Flash Alert, the APT actors have been exploiting the zero-day bug since at least May this year.

The FBI Flash Alert states that the bug allowed APT actors to elevate privileges on affected devices. The alert warned that vulnerable devices could be at risk of further exploitation.

“The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on\ activity.”

The vulnerability is not currently being tracked by a CVE ID. FatPipe released a Security Advisory (FPSA006) outlining the vulnerability.

VPN Zero-Day Vulnerability Led to Further Exploits

The zero-day vulnerability affected devices using FatPipe WARP, MPVPN, and IPVPN products. FatPipe has now fixed the exploit in the latest software update, however, the FBI Flash Alert states APT actors have been exploiting the zero-day since May.

According to the FBI, the zero-day allowed threat actors to compromise systems running FatPipe MPVPN software. Actors used the exploit to drop webshells with root privileges on the systems. Once actors had elevated their privilege with root access, devices were open to further exploitation.

In a FatPipe security advisory, the company stated the vulnerability “could allow a remote attacker to upload a file to any location on the filesystem on an affected device.”

“The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device.”

FatPipe states in the advisory that there are no workarounds for the vulnerability, but that the exploit has been patched in recent software updates. In the flash alert, the FBI “strongly urges system administrators to upgrade their devices immediately and to follow other FatPipe security recommendations”

The FBI also recommended reporting any signs of lateral movement through compromised systems, or the presence of any webshell code on FatePipe appliances.