Last updated at Mon, 12 Feb 2024 13:24:05 GMT

On February 8, 2024 Fortinet disclosed multiple critical vulnerabilities affecting FortiOS, the operating system that runs on Fortigate SSL VPNs. The critical vulnerabilities include CVE-2024-21762, an out-of-bounds write vulnerability in SSLVPNd that could allow remote unauthenticated attackers to execute arbitrary code or commands on Fortinet SSL VPNs via specially crafted HTTP requests.

According to Fortinet’s advisory for CVE-2024-21762, the vulnerability is “potentially being exploited in the wild.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to their Known Exploited Vulnerabilities (KEV) list as of February 9, 2024, confirming that exploitation has occurred.

Zero-day vulnerabilities in Fortinet SSL VPNs have a history of being targeted by state-sponsored and other highly motivated threat actors. Other recent Fortinet SSL VPN vulnerabilities (e.g., CVE-2022-42475, CVE-2022-41328, and CVE-2023-27997) have been exploited by adversaries as both zero-day and as n-day following public disclosure.

Affected products

FortiOS versions vulnerable to CVE-2024-21762 include:

  • FortiOS 7.4.0 through 7.4.2

  • FortiOS 7.2.0 through 7.2.6

  • FortiOS 7.0.0 through 7.0.13

  • FortiOS 6.4.0 through 6.4.14

  • FortiOS 6.2.0 through 6.2.15

  • FortiOS 6.0 all versions

  • FortiProxy 7.4.0 through 7.4.2

  • FortiProxy 7.2.0 through 7.2.8

  • FortiProxy 7.0.0 through 7.0.14

  • FortiProxy 2.0.0 through 2.0.13

  • FortiProxy 1.2 all versions

  • FortiProxy 1.1 all versions

  • FortiProxy 1.0 all versions

Note: Fortinet’s advisory did not originally list FortiProxy as being vulnerable to this issue, but the bulletin was updated after publication to add affected FortiProxy versions.

Mitigation guidance

According to the Fortinet advisory, the following fixed versions remediate CVE-2024-21762:

  • FortiOS 7.4.3 or above

  • FortiOS 7.2.7 or above

  • FortiOS 7.0.14 or above

  • FortiOS 6.4.15 or above

  • FortiOS 6.2.16 or above

  • FortiOS 6.0 customers should migrate to a fixed release

  • FortiProxy 7.4.3 or above

  • FortiProxy 7.2.9 or above

  • FortiProxy 7.0.15 or above

  • FortiProxy 2.0.14 or above

  • FortiProxy 1.2, 1.1, and 1.0 customers should migrate to a fixed release

As a workaround, the advisory instructs customers to disable the SSL VPN with the added context that disabling the webmode is not a valid workaround. For more information and the latest updates, please refer to Fortinet’s advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to FortiOS CVE-2024-21762 with a vulnerability check available in the Friday, February 9 content release.