Fortinet Warns of Critical VPN Flaw Likely Under Active Exploitation

Fortinet has disclosed a critical security flaw in its FortiOS Secure Sockets Layer (SSL) VPN that allows remote unauthenticated attackers to execute arbitrary code or commands.
Fortinet

Context

Fortinet has disclosed a critical security flaw, CVE-2024-21762, in its FortiOS Secure Sockets Layer (SSL) VPN, with a CVSS score of 9.6, indicating a high severity flaw. The vulnerability allows remote unauthenticated attackers to execute arbitrary code or commands through specially crafted HTTP requests.

Fortinet acknowledges that the flaw is likely being exploited in the wild, although specific details about the exploitation remain undisclosed. Versions impacted include FortiOS 7.4, 7.2, 7.0, 6.4, 6.2, and 6.0, with recommended upgrades to patched versions.

Community Threat Assessment

Due to the available public reporting of CVE-2024-21762 and noted weaponization of the vulnerability, the RH-ISAC Intelligence Team assesses with moderate confidence that CVE-2024-21762 presents a medium threat for organizations in the retail and hospitality sector that currently utilize FortiOS-dependent products within their environment. RH-ISAC recommends RH-ISAC Core Members who utilize Fortinet review the intelligence included in this report and update device where applicable using the provided intelligence below.

Impacted Fortinet Versions and Recommended Mitigations

The following FortiOS versions are impacted by CVE-2024-21762, it is worth noting that FortiOS 7.6 is not currently affected by CVE-2024-21762.

  • FortiOS 7.4 (versions 7.4.0 through 7.4.2) – Upgrade to 7.4.3 or above
  • FortiOS 7.2 (versions 7.2.0 through 7.2.6) – Upgrade to 7.2.7 or above
  • FortiOS 7.0 (versions 7.0.0 through 7.0.13) – Upgrade to 7.0.14 or above
  • FortiOS 6.4 (versions 6.4.0 through 6.4.14) – Upgrade to 6.4.15 or above
  • FortiOS 6.2 (versions 6.2.0 through 6.2.15) – Upgrade to 6.2.16 or above
  • FortiOS 6.0 (versions 6.0 all versions) – Migrate to a fixed release

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.