NAVANEM
CVE-2024-21762⚡ exploited in the wild

Fortinet FortiOS SSL VPN, out-of-bounds write pre-auth RCE

An out-of-bounds write vulnerability in Fortinet FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests.

Overview

CVE-2024-21762 is a critical out-of-bounds write vulnerability in the Fortinet FortiOS SSL VPN web service. The flaw allows a remote, unauthenticated attacker to execute arbitrary code or commands on vulnerable FortiGate devices by sending specially crafted HTTP requests. No credentials or user interaction are required for exploitation, making this a pre-authentication remote code execution (RCE) vulnerability with root-level access.

This vulnerability was actively exploited in the wild prior to public disclosure. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on the same day as disclosure (February 8, 2024), underscoring its severity and immediate threat to organizations worldwide.

Technical Details

The vulnerability stems from a bounds-check failure in the SSL VPN web service component of FortiOS. When processing specially crafted HTTP requests, the service fails to properly validate input boundaries, allowing attacker-controlled bytes to overwrite adjacent memory regions. With a carefully constructed payload, an attacker can leverage this memory corruption to achieve pre-authentication code execution on the FortiGate appliance.

The affected component (httpsd) handles SSL VPN web traffic and is typically exposed to the public Internet on FortiGate devices configured for remote access-a default posture for many SMB deployments.

Impact

Successful exploitation grants the attacker root-level code execution on the FortiGate device. This provides access to:

  • Routing tables and NAT rules
  • RADIUS and Active Directory bind credentials
  • Local user databases
  • Active VPN session tokens
  • Complete control over the perimeter firewall

This level of access enables lateral movement into customer networks. Telemetry from Censys and Shodan indicated sustained exploitation through Q2 2024, with at least one cluster of activity attributed to Volt Typhoon-aligned threat actors targeting US critical infrastructure.

Mitigation

  1. Apply patches immediately: Upgrade to FortiOS 6.0.18, 6.2.16, 6.4.15, 7.0.14, 7.2.7, 7.4.3, or later versions.
  2. Disable SSL VPN on FortiGate devices that do not strictly require it-IPsec dial-up VPN is not affected.
  3. Rotate credentials: Change all admin credentials and review local user databases for unauthorized additions.
  4. Network segmentation: Limit exposure of management interfaces to trusted networks only.

Detection

  1. Review diagnose debug crashlog output for httpsd crashes during the exposure window-repeated crashes are a strong indicator of exploitation attempts.
  2. Audit local user databases for unauthorized account creation.
  3. Monitor for anomalous outbound connections from FortiGate devices.
  4. Check for indicators of compromise associated with Volt Typhoon and related threat actors.