Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

9 February 2024 [NO.TCSA : 20240209-1-1-P]

PUBLISHED:
9 February 2024

Critical Remote Code Execution Vulnerability Found in FortiOS SSL VPN

A critical vulnerability, identified as CVE-2024-21762, has been discovered in FortiOS SSL VPN. This out-of-bounds write flaw, with a severity score of 9.6, allows unauthenticated attackers to execute arbitrary code remotely. It is believed to be actively exploited.

Affected Version

  • FortiOS 7.6: Not affected
  • FortiOS 7.4: 7.4.0 through 7.4.2
  • FortiOS 7.2: 7.2.0 through 7.2.6
  • FortiOS 7.0: 7.0.0 through 7.0.13
  • FortiOS 6.4: 6.4.0 through 6.4.14
  • FortiOS 6.2: 6.2.0 through 6.2.15
  • FortiOS 6.0: All versions

Mitigation

Fortinet recommends updating to the latest versions immediately. If immediate updating is not feasible, disabling SSL VPN is advised as a temporary measure.

Version Affected Solution
FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above
FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above
FortiOS 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above
FortiOS 6.2 6.2.0 through 6.2.15 Upgrade to 6.2.16 or above
FortiOS 6.0 6.0 all versions Migrate to a fixed release

More Information

Critical Linux Kernel Vulnerability Allows Unprivileged Local Users to Gain Root Privileges (CVE-2026-31431)

READ MORE READ MORE

Critical Microsoft SharePoint Flaw Exploitations in the Wild

READ MORE READ MORE
15 January 2025 [NO.TCSA : 20250115-1-1-E]

Auth Bypass Vulnerability Exploited in Wild to Hijack Fortinet Firewalls

READ MORE READ MORE
Read More BACK TO THREAT BULLETIN