CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 11 min read

CVE-2024-21762 Explained: Fortinet FortiOS SSL VPN Out-of-Bounds Write (CVSS 9.6)

A CVSS 9.6 out-of-bounds write in Fortinet FortiOS and FortiProxy SSL VPN that allows unauthenticated remote code execution via specially crafted HTTP requests. Added to CISA's KEV catalog one day after disclosure. Over 150,000 internet-exposed Fortinet devices affected.

Sources:NVD|Fortinet PSIRT Advisory FG-IR-24-015|CISA Known Exploited Vulnerabilities Catalog|Shadowserver Foundation, Fortinet CVE-2024-21762 exposure data
9.6
CVSS Score
150,000+
Exposed devices at disclosure
1 day
Time to CISA KEV addition
None
Authentication required

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2024-21762 is an out-of-bounds write vulnerability in Fortinet's FortiOS and FortiProxy SSL VPN implementations, scoring CVSS 9.6. Fortinet disclosed the vulnerability on February 8, 2024. CISA added it to the Known Exploited Vulnerabilities catalog the following day, an unusually rapid addition indicating that exploitation was already underway before the public advisory. At the time of disclosure, the Shadowserver Foundation estimated over 150,000 Fortinet devices were running vulnerable firmware versions and exposed to the internet via their SSL VPN interface.

The vulnerability requires no authentication. An attacker sends crafted HTTP requests to the SSL VPN web management interface, triggering an out-of-bounds memory write that can be leveraged for arbitrary code execution as the SSL VPN process, which runs with root privileges on FortiOS.

How CVE-2024-21762 Works: Out-of-Bounds Write in SSL VPN

Out-of-bounds write vulnerabilities arise when a program writes data to a memory location beyond the boundaries of an allocated buffer. In a network-facing service, if attacker-controlled data (such as HTTP request content) influences the write target or the data written, the attacker can corrupt adjacent memory structures.

In CVE-2024-21762, the FortiOS SSL VPN web management interface processes specific HTTP request fields without adequate boundary checking. By crafting request content that causes a write beyond the allocated buffer, an attacker can overwrite adjacent memory, including function pointers, return addresses, or heap metadata. With sufficient control over the write target and value, this leads to arbitrary code execution in the context of the SSL VPN process.

The SSL VPN interface is intentionally internet-facing, it must be reachable for remote users to connect. This eliminates any network-level prerequisite for the attack. Any device with SSL VPN enabled and port 443 accessible is a potential target.

1

Identify Fortinet devices with SSL VPN exposed

FortiGate and FortiProxy SSL VPN portals are identifiable by their login page design, SSL certificate details, and HTTP response headers. Shadowserver and Shodan maintain continuous scans of exposed Fortinet devices. Over 150,000 were exposed at time of CVE-2024-21762 disclosure.

2

Send specially crafted HTTP request to SSL VPN interface

Send an unauthenticated HTTP request with crafted content to the FortiGate SSL VPN web interface on port 443. The specific request field and payload structure trigger the out-of-bounds write condition.

3

Trigger memory corruption and control execution

The out-of-bounds write corrupts adjacent memory structures. With the right primitive, this produces control over the instruction pointer, redirecting code execution to attacker-controlled shellcode or ROP chain.

4

Execute as root on FortiOS

The SSL VPN process runs as root on FortiOS. Successful exploitation gives the attacker a root shell on the underlying Linux system, with full access to the firewall's configuration, routing tables, stored credentials, and VPN session data.

5

Extract configuration and establish persistence

Attackers extract the FortiOS configuration (containing all firewall rules, credential stores, PKI certificates) and establish persistence via custom scripts or modifications to FortiOS startup processes. The compromised gateway then serves as a pivot point into all internal networks it routes.

Historical Context: Fortinet SSL VPN Vulnerability Pattern

CVE-2024-21762 is the latest in a sustained series of high-severity Fortinet SSL VPN vulnerabilities. CVE-2018-13379 (arbitrary file read, CVSS 9.8) was exploited to harvest credentials from thousands of Fortinet VPN appliances. CVE-2022-42475 (heap buffer overflow, CVSS 9.3) was exploited as a zero-day by a suspected Chinese state actor. CVE-2023-27997 (heap buffer overflow, CVSS 9.8) was exploited in the wild within weeks of disclosure.

The pattern reflects sustained research interest in Fortinet's SSL VPN codebase, a large, complex C codebase handling untrusted network input on internet-facing infrastructure. Each remediated vulnerability has been followed by another, suggesting the fundamental attack surface has not been eliminated by point patches alone.

For organisations planning their VPN architecture, this history is relevant context for evaluating the security posture of appliance-based SSL VPN solutions versus alternatives.

Fortinet is aware of an instance where this vulnerability was exploited in the wild.

Fortinet PSIRT Advisory FG-IR-24-015, February 2024
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Mitigating CVE-2024-21762

The definitive fix is upgrading to a patched FortiOS version. If immediate upgrade is not possible, the only complete workaround is disabling SSL VPN entirely.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

CVE-2024-21762 is part of a recurring story for Fortinet SSL VPN: a high-severity unauthenticated memory corruption vulnerability in internet-facing VPN code, confirmed exploited before or immediately after disclosure. The CISA KEV addition on day one indicates the exploitation timeline is not measured in weeks, it begins before the patch exists.

FortiOS SSL VPN has generated multiple CVSS 9.0+ vulnerabilities in consecutive years. Security teams with Fortinet deployments should maintain patch currency as a standing priority, not a reactive one. Devices that fall one or two versions behind are not just unpatched, they are likely already in attacker targeting lists.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2024-21762?

CVE-2024-21762 is a CVSS 9.6 out-of-bounds write in Fortinet FortiOS and FortiProxy SSL VPN. An unauthenticated attacker sends specially crafted HTTP requests to the SSL VPN web interface, triggering a memory write outside allocated buffer bounds. Successful exploitation leads to arbitrary code or command execution with the privileges of the SSL VPN process, typically root.

Which FortiOS versions are affected by CVE-2024-21762?

Affected FortiOS versions: 6.0 (all), 6.2 (all), 6.4 (all), 7.0.0–7.0.15, 7.2.0–7.2.7, 7.4.0–7.4.2. Patched versions: 7.4.3+, 7.2.8+, 7.0.16+. FortiOS 6.0, 6.2, and 6.4 are end-of-life and do not receive patches, upgrade to a supported branch. FortiProxy: 2.0.0–2.0.13, 7.0.0–7.0.16, 7.2.0–7.2.9 are affected.

Is CVE-2024-21762 being actively exploited?

Yes. CISA added CVE-2024-21762 to the Known Exploited Vulnerabilities catalog on February 9, 2024, one day after Fortinet's advisory, confirming active exploitation. The fast KEV addition suggests CISA had prior knowledge of exploitation before the public advisory.

How do I mitigate CVE-2024-21762 if I cannot patch immediately?

Disable SSL VPN on the FortiGate/FortiProxy device. In FortiOS: config vpn ssl settings > set status disable > end. Note that disabling the SSL VPN disables remote access for users. This is the only complete workaround, there is no partial mitigation that keeps SSL VPN operational while blocking the vulnerability.

Is CVE-2024-21762 related to CVE-2023-27997?

They are in the same product and vulnerability class (SSL VPN, out-of-bounds operations) but are separate vulnerabilities. CVE-2023-27997 is a heap buffer overflow in FortiOS SSL VPN (patched June 2023). CVE-2024-21762 is a different out-of-bounds write found in subsequent research. Both underline that the FortiOS SSL VPN codebase has been a productive research target for memory safety vulnerabilities.

Which FortiOS and FortiProxy versions fix CVE-2024-21762?

FortiOS fixed versions: 7.4.3+, 7.2.7+, 7.0.14+, 6.4.15+. FortiProxy fixed versions: 7.4.3+, 7.2.9+, 7.0.15+, 2.0.14+. Verify current version via FortiGate CLI: get system status | grep Version. Branches 6.2.x and 6.0.x reached end-of-life before the patch was issued and will not receive a fix: those devices must be upgraded to a supported branch before they can be remediated.

Sources & references

  1. NVD
  2. Fortinet PSIRT Advisory FG-IR-24-015
  3. CISA Known Exploited Vulnerabilities Catalog
  4. Shadowserver Foundation, Fortinet CVE-2024-21762 exposure data

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.