FatPipe releases bulletin for its actively exploited VPN zero-day

What you need to know:
According to the Federal Bureau of Investigation (FBI), exploitation of a zero-day vulnerability in the FatPipe MPVPN devices software dates back to at least May 2021. The security flaw allowed APT actors to gain access to an unrestricted file upload function to drop a web shell for exploitation activity with root access, leading to elevated privileges.

What’s affected:
WARP, MPVPN, IPVPN

10.1.2 and 10.2.2 versions prior

Actions to be taken:
There are no workarounds that address this vulnerability. To mitigate the vulnerability, administrators are advised to disable UI access on all the WAN interfaces or configure access lists on the interface page to allow access only from trusted sources.

10.1.2r60p91 or later and 10.2.2r42 or later versions are fixed.

Sources:
https://www.fatpipeinc.com/support/cve-list.php

Further reading:
https://www.ic3.gov/Media/News/2021/211117-2.pdf