Two vulnerabilities (CVE-2024-21762/CVE-2024-23113) in FortiOS can potentially lead to arbitrary code execution. Updates are available to remediate these vulnerabilities in affected FortiOS products. Previous workarounds such as disabling the web mode do not work with CVE-2024-21762.
These affect multiple versions of Fortinet products, including:
- FortiOS versions before 7.6
- Part of FortiOS version 7.4 and up to/including 7.4.2
- FortiProxy 1.0-7.4.2
Severity
Fortinet is the reporting CVE Numbering Authority (CNA) and has scored v3.1 as CVSS 9.8 (Critical). We are awaiting NVDs assessment of the vulnerability. Learn more about severity.
What To Do
See Fortinet recommendations for updating your system. Workarounds are available for CVE-2024-23113, though they may degrade functionality.
Resources
- Bleeping Computer LLC, “New Fortinet RCE flaw in SSL VPN likely exploited in attacks”
- Fortinet, “FortiOS - Out-of-bound Write in sslvpnd”
- The Hacker News, “Fortinet Warns of Critical FortiOS SSL VPN Flaw Likely Under Active Exploitation”
- National Vulnerability Database, “CVE-2024-21762 Detail”
- Tenable Blog, “CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability”
- February 9, 2024: Published.
Feedback
0 comments
Please sign in to leave a comment.