CVE-2024-21762 - [KEV] - CVSS 9.8

Overview

CVE-2024-21762 is a critical out-of-bounds write vulnerability in Fortinet FortiOS and FortiProxy that permits a remote, unauthenticated attacker to achieve arbitrary code or command execution through specially crafted HTTP requests targeting the SSL VPN component. The flaw carries a CVSSv3 score of 9.8 and an EPSS score of 0.927, reflecting both maximal technical severity and a very high probability of exploitation. CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog on February 9, 2024, and it is currently assessed at the widespread exploitation maturity level. The vulnerability has additionally been associated with ransomware operations, making exposed Fortinet edge devices an immediate, high-priority risk.

Affected Products

• Fortinet FortiOS – multiple supported branches, particularly devices with SSL VPN (webvpn / sslvpnd) enabled.
• Fortinet FortiProxy – affected versions running the vulnerable SSL VPN/HTTP processing stack.

Administrators should consult Fortinet PSIRT advisory FG-IR-24-015 for the authoritative list of fixed builds and apply vendor-defined upgrade paths rather than relying on branch numbers alone.

Exploitation Evidence

No specific exploitation telemetry (e.g., malware samples, attacker IPs, or campaign indicators) is recorded in the source dataset for this briefing. However, the vulnerability’s presence on the CISA KEV list and its widespread exploitation maturity rating confirm that in-the-wild abuse is occurring at scale. Public reporting has linked exploitation of CVE-2024-21762 to opportunistic mass scanning of internet-exposed FortiGate appliances, with successful compromises observed against unpatched SSL VPN portals.

ATT&CK Mapping

No formal ATT&CK mappings are provided in the source dataset. Based on the vulnerability class and known exploitation behavior against Fortinet edge devices, defenders should anticipate the following likely techniques:

• T1190 – Exploit Public-Facing Application: Initial access via crafted HTTP requests to the SSL VPN service.
• T1133 – External Remote Services: Abuse of the SSL VPN endpoint as the entry vector.
• T1059 – Command and Scripting Interpreter: Execution of attacker-supplied commands on the appliance post-exploit.
• T1505 / T1554 – Persistence on network device: Implant deployment or firmware tampering on compromised appliances.
• T1070 – Indicator Removal: Log clearing on FortiGate devices to obscure intrusion artifacts.

Threat Actor Context

No specific threat actor attribution is recorded in the source dataset. The ransomware-associated flag on this CVE indicates that ransomware affiliates have incorporated it into their initial-access tooling. Historically, Fortinet SSL VPN vulnerabilities have been leveraged by both Chinese state-aligned intrusion sets and financially motivated ransomware operators; organizations should treat any compromise of a vulnerable FortiGate as a credible precursor to data theft or encryption events.

Recommended Actions

• Patch immediately: Upgrade FortiOS and FortiProxy to the fixed versions identified in Fortinet advisory FG-IR-24-015. Treat this as an emergency change.
• Reduce exposure: Where patching cannot be completed without delay, disable SSL VPN (webvpn) on affected devices as the Fortinet-recommended workaround.
• Restrict management and VPN access: Limit SSL VPN portal reachability via geofencing, source IP allowlists, or placing it behind an authenticating reverse proxy / ZTNA broker.
• Hunt for compromise: Review FortiGate crashlogs, SSL VPN authentication logs, and configuration changes for anomalies. Inspect for unauthorized administrative accounts, modified scripts, or unexpected outbound connections from the appliance.
• Rotate credentials: Reset local admin passwords, VPN user credentials, API keys, and any secrets recoverable from device configuration on appliances that were exposed prior to patching.
• Validate firmware integrity: Consider a clean reimage of any FortiGate suspected of pre-patch exposure, given documented attacker persistence techniques on Fortinet devices.
• Enhance monitoring: Forward FortiGate logs to a SIEM and alert on anomalous HTTP requests to the SSL VPN endpoint, repeated crashes of sslvpnd, and unusual administrative activity.
• Federal compliance: U.S. federal agencies must comply with BOD 22-01 remediation timelines as specified in the KEV entry.