← All Posts

CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bounds Write Under Active Exploitation by Ransomware Operators

What Is Happening

A critical out-of-bounds write vulnerability in Fortinet FortiOS and FortiProxy is being actively exploited in the wild. CVE-2024-21762 allows unauthenticated remote attackers to execute arbitrary code on affected devices by sending specially crafted HTTP requests to the SSL VPN component. No user interaction or authentication is required, making this vulnerability trivial to exploit at scale.

This vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on February 9, 2024, confirming active exploitation. More concerning, this CVE has confirmed associations with ransomware operations. Threat actors are targeting internet-facing Fortinet devices as initial access vectors, a pattern consistent with previous Fortinet vulnerabilities that have been weaponized by groups deploying ransomware and conducting espionage campaigns.

The scope of exposure is significant. FortiGate firewalls running FortiOS are deployed globally as perimeter security devices, and the affected version range spans multiple major releases going back several years. Organizations running any vulnerable version with SSL VPN enabled are at immediate risk. The CVSS score of 9.8 reflects the severity: network-accessible, no authentication required, and full system compromise possible.

Affected Versions

ProductAffected VersionsFixed Version
FortiOS7.4.0 through 7.4.27.4.3 or later
FortiOS7.2.0 through 7.2.67.2.7 or later
FortiOS7.0.0 through 7.0.137.0.14 or later
FortiOS6.4.0 through 6.4.146.4.15 or later
FortiOS6.2.0 through 6.2.156.2.16 or later
FortiOS6.0.0 through 6.0.17Migrate to supported branch
FortiProxy7.4.0 through 7.4.27.4.3 or later
FortiProxy7.2.0 through 7.2.87.2.9 or later
FortiProxy7.0.0 through 7.0.147.0.15 or later
FortiProxy2.0.0 through 2.0.132.0.14 or later
FortiProxy1.2.x, 1.1.x, 1.0.xMigrate to supported branch

Patches are available through Fortinet's support portal. The official advisory is published under FG-IR-24-015 at https://fortiguard.com/psirt/FG-IR-24-015. FortiOS 6.0.x and FortiProxy 1.x branches are end-of-life and will not receive patches; organizations running these versions must migrate to a supported branch immediately.

What Being on an Affected Version Means

An attacker exploiting CVE-2024-21762 gains the ability to execute arbitrary code with root privileges on the Fortinet device. This is not limited to denial of service or information disclosure; full remote code execution means the attacker owns the device. From this position, they can intercept all VPN traffic, harvest credentials, modify firewall rules to allow inbound access to internal networks, and establish persistent backdoors.

The attack path is direct: internet-facing SSL VPN interface → unauthenticated RCE → root access on the firewall. From the compromised firewall, attackers pivot into the internal network, often with visibility into all network segments the firewall routes. This provides access to domain controllers, file servers, backup infrastructure, and any system reachable from the firewall. Ransomware operators specifically target edge devices like this because a single compromise provides both network access and the ability to disable security controls before deploying payloads.

Mitigation Steps

  1. Apply the patch immediately. Upgrade FortiOS to version 7.4.3, 7.2.7, 7.0.14, 6.4.15, or 6.2.16 depending on your branch. Upgrade FortiProxy to version 7.4.3, 7.2.9, 7.0.15, or 2.0.14. Verify the running version post-upgrade via the CLI command get system status.
  1. If immediate patching is not possible, disable SSL VPN. Fortinet's advisory confirms that disabling the SSL VPN feature is a valid workaround. This is done by removing all SSL VPN policies and setting config vpn ssl settings with set sslvpn enable disable. Note that disabling web-mode alone is not sufficient for this vulnerability.
  1. Restrict management interface access. Ensure the administrative interface is not exposed to the internet. Limit access to trusted IP ranges using local-in policies. This does not mitigate the SSL VPN attack vector but reduces overall attack surface.
  1. Hunt for indicators of compromise. Review FortiGate logs for anomalous SSL VPN authentication events, unexpected configuration changes, or new administrative accounts. Check for unauthorized firewall policy modifications that could indicate an attacker establishing persistence. Use the CLI command diagnose sys session list to review active sessions for suspicious connections. Look for unexpected cron jobs or scripts in /data2/ directories, a common persistence location on FortiOS.
  1. Assume compromise if unpatched and exposed. If your SSL VPN was internet-accessible while running a vulnerable version, conduct a full investigation. Reset all credentials that may have traversed the VPN, review internal systems for lateral movement, and check backup integrity.

This is a P0 priority vulnerability: active exploitation, ransomware association, and unauthenticated RCE on perimeter devices demands same-day patching or immediate workaround implementation.

Intelligence sourced from: Tenable Research

Concerned about your exposure?

Find out what's exploitable in your environment.

Request Free Assessment