CVE-2024-21762 (CVSS 9.6): FortiOS SSL-VPN Zero-Day Pre-Auth RCE Flaw

A stark reminder of this ongoing battle against cyber threats emerged recently when Fortinet, a titan in the realm of network security, issued a critical alert to its customers. The advisory centered around a zero-day vulnerability within FortiOS SSL-VPN—a flaw that has not just theoretical implications but has been actively exploited, marking a significant moment of vulnerability for countless organizations worldwide.

Fortinet, a leading provider of cybersecurity solutions, has issued a stark warning to its customers: patch your appliances immediately. The vulnerability tracked as CVE-2024-21762 (CVSS 9.6), poses a significant risk, potentially enabling unauthenticated remote code execution on affected devices.

“A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests,” warns Fortinet in a security advisory released today. “This is potentially being exploited in the wild.

What sets CVE-2024-21762 apart is its exploitation via specially crafted HTTP requests, a method that allows attackers to execute arbitrary code or commands remotely. This capability for unauthenticated users to orchestrate such actions underscores the severity of the vulnerability, putting at risk not just individual pieces of data but the very integrity of networked systems.

Recognizing the gravity of the situation, the company released a security advisory, FG-IR-24-015, sounding the alarm on the active exploitation of this vulnerability. This advisory is not just a warning but a clarion call for action, urging users to fortify their defenses by updating to specified versions of the software designed to neutralize this threat.

All users should update to the following versions to fix the bug:

Version Affected Solution
FortiOS 7.6 Not affected Not Applicable
FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above
FortiOS 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above
FortiOS 6.2 6.2.0 through 6.2.15 Upgrade to 6.2.16 or above
FortiOS 6.0 6.0 all versions Migrate to a fixed release

The guidance provided by Fortinet serves as a lifeline for those potentially impacted. For users unable to apply these critical patches immediately, an interim measure has been suggested—disabling SSL VPN. While some might consider disabling web mode as a workaround, Fortinet’s advice is clear: this measure does not suffice in warding off the threat posed by CVE-2024-21762.