CVE-2024-21762 Explained: Fortinet FortiOS SSL VPN Out-of-Bounds Write (CVSS 9.6)
A CVSS 9.6 out-of-bounds write in Fortinet FortiOS and FortiProxy SSL VPN that allows unauthenticated remote code execution via specially crafted HTTP requests. Added to CISA's KEV catalog one day after disclosure. Over 150,000 internet-exposed Fortinet devices affected.
CVE-2024-21762 is an out-of-bounds write vulnerability in Fortinet's FortiOS and FortiProxy SSL VPN implementations, scoring CVSS 9.6. Fortinet disclosed the vulnerability on February 8, 2024. CISA added it to the Known Exploited Vulnerabilities catalog the following day — an unusually rapid addition indicating that exploitation was already underway before the public advisory. At the time of disclosure, the Shadowserver Foundation estimated over 150,000 Fortinet devices were running vulnerable firmware versions and exposed to the internet via their SSL VPN interface.
The vulnerability requires no authentication. An attacker sends crafted HTTP requests to the SSL VPN web management interface, triggering an out-of-bounds memory write that can be leveraged for arbitrary code execution as the SSL VPN process — which runs with root privileges on FortiOS.
How CVE-2024-21762 Works: Out-of-Bounds Write in SSL VPN
Out-of-bounds write vulnerabilities arise when a program writes data to a memory location beyond the boundaries of an allocated buffer. In a network-facing service, if attacker-controlled data (such as HTTP request content) influences the write target or the data written, the attacker can corrupt adjacent memory structures.
In CVE-2024-21762, the FortiOS SSL VPN web management interface processes specific HTTP request fields without adequate boundary checking. By crafting request content that causes a write beyond the allocated buffer, an attacker can overwrite adjacent memory — including function pointers, return addresses, or heap metadata. With sufficient control over the write target and value, this leads to arbitrary code execution in the context of the SSL VPN process.
The SSL VPN interface is intentionally internet-facing — it must be reachable for remote users to connect. This eliminates any network-level prerequisite for the attack. Any device with SSL VPN enabled and port 443 accessible is a potential target.
Identify Fortinet devices with SSL VPN exposed
FortiGate and FortiProxy SSL VPN portals are identifiable by their login page design, SSL certificate details, and HTTP response headers. Shadowserver and Shodan maintain continuous scans of exposed Fortinet devices. Over 150,000 were exposed at time of CVE-2024-21762 disclosure.
Send specially crafted HTTP request to SSL VPN interface
Send an unauthenticated HTTP request with crafted content to the FortiGate SSL VPN web interface on port 443. The specific request field and payload structure trigger the out-of-bounds write condition.
Trigger memory corruption and control execution
The out-of-bounds write corrupts adjacent memory structures. With the right primitive, this produces control over the instruction pointer — redirecting code execution to attacker-controlled shellcode or ROP chain.
Execute as root on FortiOS
The SSL VPN process runs as root on FortiOS. Successful exploitation gives the attacker a root shell on the underlying Linux system, with full access to the firewall's configuration, routing tables, stored credentials, and VPN session data.
Extract configuration and establish persistence
Attackers extract the FortiOS configuration (containing all firewall rules, credential stores, PKI certificates) and establish persistence via custom scripts or modifications to FortiOS startup processes. The compromised gateway then serves as a pivot point into all internal networks it routes.
Historical Context: Fortinet SSL VPN Vulnerability Pattern
CVE-2024-21762 is the latest in a sustained series of high-severity Fortinet SSL VPN vulnerabilities. CVE-2018-13379 (arbitrary file read, CVSS 9.8) was exploited to harvest credentials from thousands of Fortinet VPN appliances. CVE-2022-42475 (heap buffer overflow, CVSS 9.3) was exploited as a zero-day by a suspected Chinese state actor. CVE-2023-27997 (heap buffer overflow, CVSS 9.8) was exploited in the wild within weeks of disclosure.
The pattern reflects sustained research interest in Fortinet's SSL VPN codebase — a large, complex C codebase handling untrusted network input on internet-facing infrastructure. Each remediated vulnerability has been followed by another, suggesting the fundamental attack surface has not been eliminated by point patches alone.
For organisations planning their VPN architecture, this history is relevant context for evaluating the security posture of appliance-based SSL VPN solutions versus alternatives.
“Fortinet is aware of an instance where this vulnerability was exploited in the wild.”
— Fortinet PSIRT Advisory FG-IR-24-015, February 2024
Patching and Mitigating CVE-2024-21762
The definitive fix is upgrading to a patched FortiOS version. If immediate upgrade is not possible, the only complete workaround is disabling SSL VPN entirely.
Upgrade FortiOS to patched versions immediately
Target versions: FortiOS 7.4.3 or later, 7.2.8 or later, or 7.0.16 or later. FortiOS 6.0, 6.2, and 6.4 are end-of-life — upgrade to 7.x branch. Verify via CLI: get system status | grep Version. Upgrade via Dashboard > Firmware & Registration or via CLI.
Disable SSL VPN if patching is delayed
If the upgrade cannot be applied immediately: config vpn ssl settings > set status disable > end. This disables the SSL VPN daemon, eliminating the attack surface. Note: this disrupts all remote VPN access. Communicate the maintenance window to affected users.
Treat exposed, unpatched devices as potentially compromised
Any device running a vulnerable FortiOS version with SSL VPN internet-accessible should be treated as potentially compromised. Review system logs for unexpected SSH sessions, new admin accounts, configuration changes, and anomalous outbound connections from the device management plane.
Rotate all credentials referenced by the FortiGate configuration
If compromise is possible, rotate LDAP/RADIUS authentication credentials, IPSEC pre-shared keys, SSL VPN local user passwords, and administrator account credentials. Revoke and reissue SSL certificates. Exfiltration of the running configuration is a reliable attacker objective after RCE on a firewall.
The bottom line
CVE-2024-21762 is part of a recurring story for Fortinet SSL VPN: a high-severity unauthenticated memory corruption vulnerability in internet-facing VPN code, confirmed exploited before or immediately after disclosure. The CISA KEV addition on day one indicates the exploitation timeline is not measured in weeks — it begins before the patch exists.
FortiOS SSL VPN has generated multiple CVSS 9.0+ vulnerabilities in consecutive years. Security teams with Fortinet deployments should maintain patch currency as a standing priority, not a reactive one. Devices that fall one or two versions behind are not just unpatched — they are likely already in attacker targeting lists.
Frequently asked questions
What is CVE-2024-21762?
CVE-2024-21762 is a CVSS 9.6 out-of-bounds write in Fortinet FortiOS and FortiProxy SSL VPN. An unauthenticated attacker sends specially crafted HTTP requests to the SSL VPN web interface, triggering a memory write outside allocated buffer bounds. Successful exploitation leads to arbitrary code or command execution with the privileges of the SSL VPN process — typically root.
Which FortiOS versions are affected by CVE-2024-21762?
Affected FortiOS versions: 6.0 (all), 6.2 (all), 6.4 (all), 7.0.0–7.0.15, 7.2.0–7.2.7, 7.4.0–7.4.2. Patched versions: 7.4.3+, 7.2.8+, 7.0.16+. FortiOS 6.0, 6.2, and 6.4 are end-of-life and do not receive patches — upgrade to a supported branch. FortiProxy: 2.0.0–2.0.13, 7.0.0–7.0.16, 7.2.0–7.2.9 are affected.
Is CVE-2024-21762 being actively exploited?
Yes. CISA added CVE-2024-21762 to the Known Exploited Vulnerabilities catalog on February 9, 2024 — one day after Fortinet's advisory — confirming active exploitation. The fast KEV addition suggests CISA had prior knowledge of exploitation before the public advisory.
How do I mitigate CVE-2024-21762 if I cannot patch immediately?
Disable SSL VPN on the FortiGate/FortiProxy device. In FortiOS: config vpn ssl settings > set status disable > end. Note that disabling the SSL VPN disables remote access for users. This is the only complete workaround — there is no partial mitigation that keeps SSL VPN operational while blocking the vulnerability.
Is CVE-2024-21762 related to CVE-2023-27997?
They are in the same product and vulnerability class (SSL VPN, out-of-bounds operations) but are separate vulnerabilities. CVE-2023-27997 is a heap buffer overflow in FortiOS SSL VPN (patched June 2023). CVE-2024-21762 is a different out-of-bounds write found in subsequent research. Both underline that the FortiOS SSL VPN codebase has been a productive research target for memory safety vulnerabilities.
Sources & references
- NVD
- Fortinet PSIRT Advisory FG-IR-24-015
- CISA Known Exploited Vulnerabilities Catalog
- Shadowserver Foundation — Fortinet CVE-2024-21762 exposure data
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.