FBI has issued a warning regarding a 0-day vulnerability in the FatPipe MPVPN software that attackers have exploited for at least six months, allowing APT actors to access various systems.
0-day vulnerabilities are usually extremely valuable, and attackers make the most of them as quickly as possible, knowing full well that developers will close them when they find out. A subset of 0—day vulnerabilities, however, remains hidden for a very long time, letting threat actors infect multiple systems, remain embedded in compromised networks, and continue their activity unimpeded.
“FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021,” said the FBI. “The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.”
“This vulnerability is not yet identified with a CVE number but can be located with the FatPipe Security Advisory number FPSA006. The vulnerability affects all FatPipe WARP®, MPVPN, and IPVPN® device software prior to the latest version releases 10.1.2r60p93 and 10.2.2r44p1,” the FBI added.
The FBI didn’t identify the threat actor. They did say they used SSH access to route malicious traffic through the device and target additional US infrastructure. In most cases, the hackers were careful to clean up after the breach so they could return as needed while keeping the 0-day vulnerability hidden.
Even though there’s no CVE yet, FatPipe released a patch that fixes the vulnerability. All FatPipe WARP, MPVPN, and IPVPN device software prior to releases 10.1.2r60p93 and 10.2.2r44p1 are vulnerable, and no other mitigations are possible without applying the patch. FBI urges all administrators to quickly upgrade the affected system and disable UI and SSH access from the WAN interface when not used.