Pierluigi Paganini March 09, 2024

Researchers warn that the critical vulnerability CVE-2024-21762 in Fortinet FortiOS could potentially impact 150,000 exposed devices.

In February, Fortinet warned that the critical remote code execution vulnerability CVE-2024-21762 (CVSS score 9.6) in FortiOS SSL VPN was actively exploited in attacks in the wild.

The security firm did not provide details about the attacks exploiting this vulnerability.

The issue is an out-of-bounds write vulnerability that can be exploited by sending specially crafted HTTP requests to vulnerable instances. The vendor recommends to disable SSL VPN as a workaround.

“A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.” reads the advisory.

“Workaround : disable SSL VPN (disable webmode is NOT a valid workaround). Note: This is potentially being exploited in the wild.”

The following table includes the list of the impacted versions and the available versions that solve the issue.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

This week, researchers at the Shadowserver Foundation announced that nearly 150,000 devices are still potentially impacted by the issue despite Fortinet added it to the catalog.

The researchers scanned the Internet for Internet-facing Fortinet FortiOS and FortiProxy secure web gateway systems vulnerable to CVE-2024-21762.

The majority of vulnerable devices (at March 9, 2024) are in the United States (24.647), followed by India (7.713), and Brazil (4.934).

Researchers from GreyNoise also published an interesting analysis on the bug, titled “Hunting for Fortinet CVE-2024-21762: Vulnerability Research for Detection Engineering.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FortiOS)