The Federal Bureau of Investigation (FBI) has issued a report of advanced persistent threat (APT) actors exploiting 0-day FatPipe MPVPN networking devices since at least May of 2021.
The FBI summarized the threat in the new FBI Flash alert:
The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-onFBI
activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.
Although no CVEs were yet published, FatPipe released a security patch and advisory (FPSA006) on November 16, 2021 that fixes the vulnerability.
All FatPipe WARP, MPVPN, and IPVPN device software prior to versions 10.1.2r60p93 and 10.2.2r44p1 are vulnerable to the vulnerability.