An advanced persistent threat (APT) group has been actively exploiting a zero-day flaw in FatPipe’s software that powers its virtual private networking (VPN) devices, the FBI has warned.
While the FBI hasn’t shared details about the attackers, its cybersecurity sleuths have discovered that the group has been using the flaw since at least May 2021.
“The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity,” notes the FBI in its advisory.
TechRadar needs you!
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
>> Click here to start the survey in a new window
Interestingly, analysis of the group’s activity has shown that the threat actors took various steps to cover evidence of their break-in, including wiping their session activity to avoid detection.
Patch now
According to the FBI, the bug hasn’t yet been assigned a CVE number, but has been fixed by FatPipe.
Explaining the bug in its own advisory, FatPipe notes that it exists in the software’s web management interface.
“The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device,” explains FatPipe.
The vulnerability affects all FatPipe WARP, MPVPN, and IPVPN device software prior to the latest version releases, 10.1.2r60p93 and 10.2.2r44p1. Since there aren’t any known workarounds to the bug, both the FBI and FatPipe urge users to upgrade to the latest patched release without delay.
If you are concerned about online privacy, use one of the best business VPN services