Internet-facing SSL VPNs are among the most attractive targets in security, because they are exposed by design and sit at the network edge. CVE-2024-21762 is a prime example: a pre-authentication memory corruption bug in the FortiOS SSL VPN daemon that lets a remote attacker run code on a FortiGate firewall. Fortinet disclosed it on February 8, 2024, warning it was potentially being exploited in the wild.
ID and severity
CVE-2024-21762 is an out-of-bounds write (CWE-787) in the FortiOS SSL VPN component. There are two published severity ratings worth knowing: the NVD scores it CVSS 3.1 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Fortinet's own PSIRT advisory FG-IR-24-015 scored it 9.6. Either way it is critical: network-reachable, no authentication, and it yields code execution. CISA added it to the Known Exploited Vulnerabilities catalog on February 9, 2024.
Timeline and impact
Fortinet published FG-IR-24-015 on February 8, 2024, and CISA listed the flaw as known-exploited the next day. The advisory language ("potentially exploited in the wild") and the immediate KEV listing pushed operators into an emergency patch cycle. Fortinet added additional fixed builds on February 23, 2024, as coverage expanded across product branches.
FortiGate SSL VPNs protect the perimeter for a vast number of organizations, and Fortinet edge devices have a long history of being targeted for initial access by both criminal and state-aligned actors. A pre-auth RCE in the SSL VPN daemon is close to a worst case for a firewall vendor, because the vulnerable service is exactly the one that must remain reachable.
Root cause
The bug lives in sslvpnd, the daemon that terminates SSL VPN connections, and it is an out-of-bounds write triggered during HTTP request parsing. The relevant detail is how the daemon handled HTTP requests using chunked transfer encoding.
In chunked encoding, a request body is sent as a series of chunks, each prefixed by a length field. A parser must read that declared length, then read exactly that many bytes into a buffer. In the vulnerable code, an attacker could craft chunk length values that did not match the actual buffer bounds, causing the daemon to write attacker-influenced data past the end of an allocated buffer. A safe illustration: the request says "the next chunk is N bytes," the parser trusts N without fully validating it against the destination buffer, and the mismatch corrupts adjacent memory.
Because sslvpnd runs with high privilege, controlling that memory corruption can be steered toward remote code execution. This is the same category of edge-device memory-safety failure that has produced repeated pre-auth VPN vulnerabilities across the industry: complex, hand-written parsers in privileged C daemons that face the raw internet.
Detection
- Inventory every FortiGate and record its exact FortiOS version, then compare against the affected ranges below.
- Identify which devices have the SSL VPN feature enabled and reachable from the internet. Those are the immediate exposure.
- Review SSL VPN and crash logs for unexpected
sslvpndrestarts or crashes, which can accompany exploitation attempts against a memory-corruption bug. - Fortinet published indicators of compromise in FG-IR-24-015; check for the file-system and log artifacts it lists, and treat any exposed, unpatched device as a candidate for compromise assessment.
Remediation and patched versions
Upgrade to a fixed FortiOS release. According to the NVD and Fortinet, the affected ranges and fixes are:
- 7.4.0 through 7.4.2, fixed in 7.4.3
- 7.2.0 through 7.2.6, fixed in 7.2.7
- 7.0.0 through 7.0.13, fixed in 7.0.14
- 6.4.0 through 6.4.14, fixed in 6.4.15
- 6.2.0 through 6.2.15, fixed in 6.2.16
- 6.0.0 through 6.0.17, fixed in 6.0.18
If you cannot patch immediately, Fortinet's workaround is to disable the SSL VPN feature. Note that merely disabling the web-mode landing page is not sufficient; the SSL VPN service itself must be disabled. After patching, review the device for compromise, because an edge device that was reachable and unpatched should not be assumed clean.
How Safeguard helps
A FortiGate is an appliance you cannot instrument with a package manager, but the discipline that catches CVE-2024-21762 quickly is the same one supply chain security enforces everywhere: know every version-pinned component you run, and rank it against real-world exploitation. Safeguard's software composition analysis tracks the components in your build and deployment artifacts and cross-references them against the CISA KEV catalog, so a known-exploited flaw is surfaced at the top of the queue the day it lands. For the services you ship yourself, container scanning flags vulnerable and end-of-life images before deployment, and the Safeguard CLI enforces that as a hard gate in CI/CD. If you are comparing this KEV-aware, exploit-driven prioritization against another scanner, the Safeguard vs Snyk breakdown is a useful reference.
Edge devices are where attackers look first, so a fix-available pre-auth RCE deserves to be flagged loudly on day one. Get started free or read the documentation.
Frequently Asked Questions
What is CVE-2024-21762?
It is a pre-authentication out-of-bounds write vulnerability in the FortiOS SSL VPN daemon (sslvpnd) that allows a remote, unauthenticated attacker to execute arbitrary code by sending specially crafted HTTP requests. It is rated CVSS 9.8 by the NVD and 9.6 in Fortinet's own advisory.
Which FortiOS versions are affected and which are fixed?
Affected ranges are 7.4.0-7.4.2, 7.2.0-7.2.6, 7.0.0-7.0.13, 6.4.0-6.4.14, 6.2.0-6.2.15, and 6.0.0-6.0.17. The corresponding fixes are 7.4.3, 7.2.7, 7.0.14, 6.4.15, 6.2.16, and 6.0.18 (or later within each branch).
Was CVE-2024-21762 exploited in the wild?
Fortinet's advisory stated the flaw was potentially being exploited in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog on February 9, 2024, the day after disclosure. FortiGate SSL VPNs are frequently targeted for initial access, so unpatched exposed devices should be treated as high risk.
What is the workaround if I cannot patch immediately?
Fortinet recommends disabling the SSL VPN feature entirely as a temporary mitigation. Disabling only the web-mode portal is not enough. This reduces exposure but is not a substitute for upgrading to a fixed FortiOS release, and any previously exposed device should undergo a compromise assessment.