Friday 19 November 2021
The impact of this issue announcement is critical. Please act accordingly to rectify the issue, as stated below.
What you need to know:
According to the Federal Bureau of Investigation (FBI), exploitation of a zero day vulnerability in the FatPipe MPVPN devices software dates back to at least May 2021. The security flaw allowed APT actors to gain access to an unrestricted file upload function to drop a web shell for exploitation activity with root access, leading to elevated privileges.
WARP, MPVPN, IPVPN
10.1.2 and 10.2.2 versions prior
Actions to be taken:
There are no workarounds that address this vulnerability. To mitigate the vulnerability, administrators are advised to disable UI access on all the WAN interfaces or configure access lists on the interface page to allow access only from trusted sources.
10.1.2r60p91 or later and 10.2.2r42 or later versions are fixed.