CVE-2024-21762 Critical Patch Available

CVE-2024-21762: Fortinet FortiOS SSL VPN — Out-of-Bounds Write RCE

Vuln Brief Research Team · · CVSS 9.6

CVE Details

CVE ID CVE-2024-21762
CVSS Score 9.6
Severity Critical
Vendor Fortinet
Product FortiOS
Patch Status Available
Published January 27, 2026

Background

Fortinet FortiOS is the operating system powering FortiGate firewalls and the FortiGate SSL VPN, one of the most widely deployed enterprise VPN solutions globally. FortiGate appliances are used extensively in enterprise, government, and critical infrastructure environments as network perimeter security controls. The SSL VPN component provides remote access for distributed workforces and is frequently internet-exposed by design.

CVE-2024-21762 is an out-of-bounds write vulnerability in FortiOS’s SSL VPN web management interface. Disclosed in February 2024 with a CVSS score of 9.6, the vulnerability enables unauthenticated RCE — the most severe possible impact for a network perimeter device. CISA added it to the KEV catalogue with confirmation of active exploitation, and Fortinet’s advisory noted “may be exploited in the wild” — their standard language for confirmed in-the-wild exploitation.

Technical Mechanism

CVE-2024-21762 is an out-of-bounds write vulnerability (CWE-787) in the SSL VPN web component of FortiOS. Memory safety bugs of this class occur when a write operation uses a calculated offset or size that exceeds the bounds of the allocated memory buffer.

In the FortiOS SSL VPN web interface, the vulnerable code path processes HTTP requests. When a specially crafted HTTP request is sent to the VPN listener port (typically TCP 443 or 4433), the request handling code:

  1. Allocates a fixed-size buffer for processing request data
  2. Copies attacker-supplied data into the buffer without adequate bounds checking
  3. The write operation overwrites memory adjacent to the allocated buffer

In a typical heap-based out-of-bounds write exploitation scenario on FortiOS:

# Simplified representation of the vulnerable pattern
char buffer[MAX_SIZE];
int user_length = get_content_length(request);  // Attacker-controlled
memcpy(buffer, request_body, user_length);       // No bounds check — OOB write

The out-of-bounds write can corrupt adjacent heap metadata or data structures. With sufficient control over the write content and offset, attackers can achieve:

  • Heap metadata corruption: Overwriting heap management structures to redirect subsequent allocations
  • Function pointer overwrite: If adjacent heap contains function pointers, redirecting execution flow
  • Return address corruption: In some configurations, corrupting stack-based return addresses

FortiOS runs a hardened Linux environment with exploit mitigations (ASLR, stack canaries, NX bits), but these can be bypassed with information leaks or by using the write primitive to corrupt specific data structures that predictably control program flow.

The vulnerability was confirmed to be exploitable for remote code execution, executing in the context of the FortiOS SSL VPN service, which runs with elevated privileges.

Real-World Exploitation Evidence

Fortinet’s advisory for CVE-2024-21762 included the acknowledgment of in-the-wild exploitation. Multiple threat intelligence sources corroborated active exploitation campaigns:

  • Chinese APT activity: Security researchers at Mandiant and others documented exploitation by advanced persistent threat groups consistent with Chinese state-sponsored actors targeting government and defence sector Fortinet deployments.
  • Ransomware pre-positioning: Evidence of exploitation for initial access followed by ransomware deployment, consistent with Akira and other ransomware groups’ known use of Fortinet VPN vulnerabilities.
  • Mass scanning activity: Shodan searches and threat intelligence feeds showed widespread probing of Fortinet SSL VPN endpoints beginning immediately after advisory publication.

CVE-2024-21762 is part of a pattern of Fortinet SSL VPN vulnerabilities (alongside CVE-2022-42475, CVE-2023-27997) that have made FortiGate SSL VPN a high-priority target for advanced threat actors.

Impact Assessment

Exploitation of CVE-2024-21762 on an internet-facing FortiGate SSL VPN provides:

  • Unauthenticated RCE: No credentials required; exploitation is possible by any attacker with network access to the VPN port.
  • Root-level access: The SSL VPN process runs with elevated privileges on FortiOS, providing broad system access.
  • Network access: Attackers gain a foothold on the network perimeter device, enabling internal network scanning and lateral movement.
  • Credential theft: SSL VPN session tokens, cached credentials, and configuration-stored secrets become accessible.
  • Persistence: Custom implants can be written to persistent storage on the FortiOS appliance.

Affected Versions

FortiOS VersionAffectedFixed Version
7.47.4.0 – 7.4.27.4.3+
7.27.2.0 – 7.2.67.2.7+
7.07.0.0 – 7.0.137.0.14+
6.46.4.0 – 6.4.146.4.15+
6.26.2.0 – 6.2.156.2.16+
FortiProxy 7.47.4.0 – 7.4.27.4.3+

Workaround: Disable SSL VPN if the feature is not required (config vpn ssl settings; set status disable). Note this is not equivalent to simply disabling web-mode access.

Remediation Steps

  1. Upgrade FortiOS: Apply the fixed versions listed above. Download from the Fortinet Customer Support portal at support.fortinet.com.

  2. Disable SSL VPN as interim measure (only if the feature is not needed):

    config vpn ssl settings
    set status disable
end

  3. Verify patch application: After upgrade, check the running version:

    get system status | grep Version

  4. Review for indicators of compromise: Fortinet published a list of IOCs. Check for:

    • Unexpected administrator accounts
    • Modified system files in /data/ partition
    • Unusual network connections from the management interface

  5. Enable FortiGuard IPS signatures: Fortinet published IPS signatures to detect exploitation attempts. Ensure your FortiGate is subscribed to FortiGuard IPS and the signatures are current.

  6. Restrict VPN access: Implement geo-blocking or IP allowlisting on the SSL VPN listener to reduce attack surface while patching.

Detection Guidance

Log sources:

  • FortiGate system event logs (diagnose log test)
  • SSL VPN logs: Log & Report > Events > VPN Events
  • Traffic logs for unusual patterns on SSL VPN port (443/4433)

CLI log queries:

# Check for failed/anomalous VPN session attempts
execute log filter category 3
execute log filter field action tunnel-down
execute log display

Indicators of Compromise:

  • Files modified in /data/lib/ or /data/bin/ unexpectedly
  • SSL VPN log entries with unusual session IDs or malformed request patterns
  • Outbound connections from the FortiGate management IP to unknown external IPs
  • Unexpected processes visible via diagnose sys process list

Suricata signature:

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Fortinet FortiOS CVE-2024-21762 OOB Write Exploit"; flow:established,to_server; dsize:>8192; content:"POST"; depth:4; pcre:"/Content-Length:\s*\d{6,}/i"; threshold:type limit, track by_src, count 1, seconds 60; sid:9000217; rev:1;)

Timeline

DateEvent
February 8, 2024Fortinet publishes advisory with “may be exploited” language
February 8, 2024CISA adds CVE-2024-21762 to KEV catalogue
February 9, 2024Security researchers confirm active scanning/exploitation
February 2024Patches available for all affected branches
March 2024Threat intelligence firms publish post-exploitation analysis

Tags

fortinetfortiosssl-vpnout-of-bounds-writercefirewallcisa-kev

Related Analysis

CVE-2024-1708 Critical

CVE-2024-1708: ConnectWise ScreenConnect Path Traversal — RMM Tools as Attack Vectors

ConnectWise

CVE-2026-0300 Critical

CVE-2026-0300: Palo Alto PAN-OS Out-of-Bounds Write Leads to Root RCE on Firewalls

Palo Alto Networks

CVE-2026-20182 Critical

CVE-2026-20182: Cisco Catalyst SD-WAN Authentication Bypass — Unauthenticated Admin Access

Cisco