Zero-day vulnerability in FortiOS – CVE-2024-21762

A new zero-day CRITICAL security vulnerability has been disclosed by Fortinet for the FortiOS. We discuss this zero-day vulnerability CVE-2024-21762 below.

Salient points

  • CVE-2024-21762 is a CVSS 9.8 vulnerability. It was first disclosed on 9 February 2024.
  • This is a remote code execution (RCE) vulnerability. The attacker could execute unauthorized code or commands on the target FortiOS.
  • The zero-day threat is potentially being exploited in the wild.
  • The vulnerability is described as an out-of-bounds write issue that can be exploited by a remote, unauthenticated attacker for arbitrary code execution using specially crafted HTTP requests. 
  • FortiOS 7.6 version is not impacted.

What versions of FortiOS are impacted?

The following versions of FortiOS are impacted by CVE-2024-21762:

  • FortiOS 7.4 – affected versions include 7.4.0 through 7.4.2
  • FortiOS 7.2 – affected versions include 7.2.0 through 7.2.6
  • FortiOS 7.0 – affected versions include 7.0.0 through 7.0.13
  • FortiOS 6.4 – affected versions include 6.4.0 through 6.4.14
  • FortiOS 6.2 – affected versions include 6.2.0 through 6.2.15
  • FortiOS 6.0 – affected versions include all versions in the 6.0 series

Remediation of CVE-2024-21762

Fortinet has released security patches to remediate the CVE-2024-21762 security vulnerability. You can upgrade the FortiOS versions as per the details shared below:

  • FortiOS 7.4 – upgrade to FortiOS 7.4.3 or above
  • FortiOS 7.2 – upgrade to FortiOS 7.2.7 or above
  • FortiOS 7.0 – upgrade to FortiOS 7.0.14 or above
  • FortiOS 6.4 – upgrade to FortiOS 6.4.15 or above
  • FortiOS 6.2 – upgrade to FortiOS 6.2.16 or above
  • FortiOS 6.0 – migrate to a fixed release

Workaround for CVE-2024-21762

The best bet remains to upgrade the FortiOS to the latest versions in the series given above. However, if you cannot immediately upgrade, Fortinet has published a workaround for CVE-2024-21762.

  • Disabling the SSL VPN mode will provide a temporary workaround for CVE-2024-21762.
  • Disabling the web mode in SSL VPN will not provide a workaround or solution for CVE-2024-21762.

Related Cyber-security stories

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.