Critical FortiOS SSL VPN Vulnerability Likely Being Exploited in Attacks

Fortinet has disclosed a new critical flaw in the FortiOS SSL VPN which is most likely already being exploited in the wild. The out-of-bounds write vulnerability – CVE-2024-21762 – in FortiOS can be exploited to execute arbitrary commands and code via specially crafted HTTPS requests and has a CVSS score of 9.6. The vulnerability is not present in FortiOS 7.6, but does affect the following versions:

Version Affected Mitigations
FortiOS 7.4 Versions 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiOS 7.2 Versions 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiOS 7.0 Versions 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above
FortiOS 6.4 Versions 7.0.0 through 7.0.13 Upgrade to 6.4.15 or above
FortiOS 6.2 Versions 6.2.0 through 6.2.15 Upgrade to 6.2.16 or above
FortiOS 6.0 6.0 all versions Migrate to a fixed release

If it is not possible to immediately upgrade to or migrate to a fixed version, the flaw can be mitigated by disabling SSL VPN on an affected FortiOS device. The security alert also discloses another critical flaw – CVE-2024-23113 – and two medium severity flaws – CVE-2024-44487 & CVE-20243-47537. While the critical flaw has a 9.8 CVSS score it is not currently being exploited in the wild and there have been no detected exploits of the medium severity flaws.

Fortinet did not provide any details on the threat actor(s) or the nature of suspected exploitation; however, Fortinet vulnerabilities have been targeted by Chinese state-sponsored hackers in the past to attack governments and critical infrastructure organizations. Fortinet also disclosed this week that the Chinese state-sponsored hacking group Volt Typhoon is actively exploiting the resolved vulnerabilities CVE-2022-42475 and CVE-2023-27997 to deploy custom malware called COATHANGER.

Also this week, security agencies in the United States issued a joint warning to critical infrastructure entities about Volt Typhoon activity after it was discovered that the hacking group is already inside the networks and OT systems of several critical infrastructure entities in what appears to be preparation for coordinated destructive attacks in the event of military action in the Asia-Pacific region.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of