CVE-2024-21762

What is Fortinet FortiOS SSL VPN?

Fortinet FortiOS is the operating system for FortiGate next-generation firewalls. Its SSL VPN feature is one of the most widely deployed remote access VPN solutions in the world, used by hundreds of thousands of organizations for corporate remote access. FortiGate SSL VPN is internet-facing by design — appliances expose the VPN portal on HTTPS (typically port 443 or 4433) to allow remote users to connect. This makes SSL VPN vulnerabilities especially dangerous: the attack surface is directly reachable from the internet without any prior access, and successful exploitation yields immediate VPN gateway access — a direct entry point into the protected internal network.

Overview

CVE-2024-21762 is an out-of-bounds write vulnerability (CWE-787) in Fortinet FortiOS's SSL-VPN web management component. A remote unauthenticated attacker can send specially crafted HTTP requests to the FortiOS SSL VPN web interface to trigger the out-of-bounds write, achieving arbitrary code execution on the FortiGate appliance. Fortinet disclosed the vulnerability on February 8, 2024 and simultaneously confirmed that it was being exploited in the wild — making it a disclosed zero-day at time of publication. CISA added it to the KEV catalog the following day (February 9) with an extremely short 7-day remediation deadline, reflecting the severity and confirmed exploitation.

Affected Versions

Workaround: Disable SSL-VPN on the device (config vpn ssl settings → set status disable). This eliminates the attack surface but disables remote access.

Technical Details

The out-of-bounds write (CWE-787) is in the HTTP request processing code of the FortiOS SSL-VPN web component — the HTTPS listener that handles VPN client authentication and the SSL-VPN web portal. A specially crafted HTTP request with a malformed header or body field causes a write operation to proceed beyond an allocated buffer boundary on the heap or stack.

Exploitation mechanism: The out-of-bounds write overwrites adjacent memory — potentially function pointers, vtable entries, or stored return addresses — with attacker-controlled data. By crafting the overflow contents carefully, the attacker can redirect execution to shellcode or a return-oriented programming (ROP) chain, achieving code execution as root on the FortiOS Linux operating system.

No authentication required: The vulnerable code path is reached before any authentication check — the request handler processes the malformed HTTP data before authenticating the request. This makes it exploitable by any internet-connected attacker.

Companion CVE-2024-23113: Also published in February 2024, CVE-2024-23113 (format string vulnerability in fgfmd) affects multiple Fortinet products. Organizations should apply patches for both.

Exploitation Context

Fortinet explicitly confirmed active exploitation at the time of the February 8, 2024 advisory — one of the relatively rare cases where a vendor discloses a vulnerability and simultaneously confirms it is being actively exploited (i.e., a 0-day at time of disclosure). CISA responded with a 7-day deadline — one of the shortest in KEV history for a non-emergency directive — reflecting the urgency. Ransomware groups and nation-state actors targeted unpatched FortiGate appliances to gain initial VPN access and then lateral movement into internal networks.

Remediation

1. Upgrade FortiOS to a patched version (7.4.3+, 7.2.7+, 7.0.14+, 6.4.15+) immediately. The CISA deadline was February 16, 2024.
2. If patching cannot be completed immediately, disable SSL-VPN entirely as a temporary workaround — better to lose remote access than to be compromised.
3. Check FortiGate for indicators of compromise: look for new or modified admin accounts, unexpected scheduled tasks, or modified files in the SSL-VPN web directory.
4. Review SSL-VPN session logs for connections from unexpected IP addresses or unusual authentication patterns in the weeks preceding the patch.
5. Rotate VPN user credentials — if the appliance was internet-exposed before patching, assume credential interception was possible.
6. Implement IP allowlisting for the SSL-VPN management interface — restrict which source IPs can access the VPN portal (if operationally feasible).