FBI: FatPipe VPN Zero-Day Exploited by APT for 6 Months

A threat actor has been exploiting a zero-day vulnerability in FatPipe’s virtual private network (VPN) devices as a way to breach companies and gain access to their internal networks, since at least May, the FBI has warned. “As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021,” the bureau said in a flash alert (PDF) on Tuesday. The bug — patched this week — is found in the device software for FatPipe’s WARP WAN redundancy product, its MPVPN router clustering device, and its IPVPN load-balancing and reliability device for VPNs. The products are all types of servers that are installed at network perimeters and used to give employees remote access to internal apps via the internet, serving as part network gateways, part firewalls. According to the alert, the flaw allowed advanced persistent threat (APT) actors to exploit a file upload function in the device’s firmware to install a webshell with root access, which led to elevated privileges. Exploiting the vulnerability, which doesn’t yet have a CVE tracking number, gave the APT actors the ability to spread laterally into victims’ networks. FatPipe is tracking the vulnerability with its own tag, FPSA006, which contains both the patch and a security advisory that it put out on Tuesday. The vulnerability affects all FatPipe WARP, MPVPN and IPVPN device software prior to the latest version releases: 10.1.2r60p93 and…