CVE-2024-21762
CVE-2024-21762 is a critical-severity vulnerability in Fortinet Fortiproxy with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-02-09). The underlying weakness is classified as CWE-787.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 83% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-02-09)
- EU (EUVD) id: EUVD-2024-19376
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-02-09)
- Weakness: CWE-787
- Affected product: Fortinet Fortiproxy
- Published:
- Last modified:
Description
A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests
CVE-2024-21762: Fortinet FortiOS/FortiProxy Out-of-Bounds Write (CWE-787)
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-21762 |
| CWE | CWE-787 (Out-of-bounds Write) |
| CVSS 3.1 | 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.83428 (99.65th percentile) |
| KEV | Yes — CISA catalog and EU exploited since 2024-02-09 |
| Vendor | Fortinet |
| Products | FortiOS, FortiProxy |
Summary
An out-of-bounds write vulnerability in Fortinet FortiOS and FortiProxy allows unauthenticated remote attackers to execute arbitrary code or commands via specifically crafted requests to the SSL VPN interface.
Background
Fortinet FortiOS is the operating system powering FortiGate next-generation firewalls, while FortiProxy provides secure web gateway capabilities. Both products are widely deployed at network perimeters worldwide. In February 2024, Fortinet disclosed a critical memory-safety vulnerability affecting the SSL VPN functionality in both product lines, which has since been actively exploited in the wild.
Root Cause
The vulnerability is classified as CWE-787 (Out-of-bounds Write). This occurs when software writes data past the end of an intended buffer. In FortiOS and FortiProxy's SSL VPN packet processing logic, insufficient bounds checking allows a specially crafted request to trigger a buffer overflow, enabling an attacker to overwrite adjacent memory regions and hijack execution flow.
Impact
With a CVSS 3.1 base score of 9.8 (Critical), this vulnerability is network exploitable with low attack complexity, requiring no privileges and no user interaction. The impact metrics are Confidentiality: HIGH, Integrity: HIGH, and Availability: HIGH. Successful exploitation grants an unauthenticated remote attacker the ability to execute unauthorized code or commands with the privileges of the SSL VPN service, effectively compromising the perimeter security device and enabling lateral movement into the protected network.
Exploitation Walkthrough
From a defensive perspective, exploitation involves an attacker sending malformed requests to an exposed SSL VPN interface (commonly TCP/443 or TCP/10443). The crafted requests exploit the bounds-checking deficiency to overwrite function pointers or other control structures in memory. Security teams should not attempt to reproduce this vulnerability in production environments. Instead, defenders should:
- Monitor SSL VPN endpoints for anomalous request patterns, including unexpected payload sizes and malformed TLS handshakes.
- Alert on repeated connection attempts from untrusted sources or unusual geolocations.
- Review Fortinet's Threat Intelligence for indicators of compromise (IoCs) associated with this campaign.
The existence of active exploitation has been confirmed by CISA and the EU Vulnerability Database (EUVD-2024-19376).
Affected and Patched Versions
Affected FortiOS versions:
- 6.0.0 through 6.0.17
- 6.2.0 through 6.2.15
- 6.4.0 through 6.4.14
- 7.0.0 through 7.0.13
- 7.2.0 through 7.2.6
- 7.4.0 through 7.4.2
Affected FortiProxy versions:
- 1.0.0 through 1.0.7
- 1.1.0 through 1.1.6
- 1.2.0 through 1.2.13
- 2.0.0 through 2.0.13
- 7.0.0 through 7.0.14
- 7.2.0 through 7.2.8
- 7.4.0 through 7.4.2
Specific patched versions were not provided in the source data; consult Fortinet PSIRT advisory FG-IR-24-015 for the exact upgrade paths.
Remediation
- Upgrade immediately: Apply the latest patched firmware versions from Fortinet as specified in FG-IR-24-015.
- Disable SSL VPN if unused: If the SSL VPN feature is not required, disable it to eliminate the attack surface entirely.
- Restrict access: Limit SSL VPN portal access to trusted IP ranges via firewall rules or FortiGate local-in policies.
- Enable MFA: Enforce multi-factor authentication for all VPN access as a compensating control (note: this does not block the vulnerability itself, but raises the bar for post-exploitation access).
- Monitor: Review FortiGate logs for signs of compromise and conduct forensic analysis if exploitation is suspected.
Detection
- Monitor SSL VPN access logs for unusual connection patterns, repeated failed handshakes, or requests from unexpected geolocations.
- Deploy network intrusion detection systems (IDS) with signatures for known FortiOS SSL VPN exploitation attempts.
- Check for newly created local administrator accounts or unauthorized configuration changes on FortiGate devices.
- Review Fortinet's threat intelligence feeds for IoCs associated with CVE-2024-21762.
Assessment
This vulnerability carries an EPSS score of 0.83428, placing it in the 99.65th percentile of observed vulnerabilities, indicating a very high probability of active exploitation. It is listed in both the CISA Known Exploited Vulnerabilities (KEV) catalog and the EU Vulnerability Database (EUVD-2024-19376) as actively exploited since February 9, 2024. The combination of a critical CVSS score, network attack vector, no authentication requirement, and confirmed in-the-wild exploitation makes this a maximum-priority patching item.
Key lessons:
- Memory-safety issues in perimeter-facing VPN services remain a primary attack vector for threat actors and demand rigorous input validation and secure coding practices.
- Organizations must maintain accurate asset inventories of FortiOS/FortiProxy versions and have expedited patch procedures for critical, KEV-listed vulnerabilities.
References
Frequently asked questions
- What is CVE-2024-21762?
- A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests
- How severe is CVE-2024-21762?
- CVE-2024-21762 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2024-21762 being actively exploited?
- Yes. CVE-2024-21762 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-02-09, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2024-21762?
- CVE-2024-21762 primarily affects Fortinet Fortiproxy. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-21762?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2024-21762 have an EU (EUVD) identifier?
- Yes. CVE-2024-21762 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-19376. It is also flagged as exploited in the EUVD (since 2024-02-09).
- When was CVE-2024-21762 published?
- CVE-2024-21762 was published on 2024-02-09 and last updated on 2026-06-17.
References
- https://fortiguard.com/psirt/FG-IR-24-015
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21762
Affected products (2)
- cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
- cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
More vulnerabilities in Fortinet Fortiproxy
- CVE-2026-24858 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet…
- CVE-2025-59718 — Critical (CVSS 9.8): A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0…
- CVE-2025-22252 — Critical (CVSS 9.8): A missing authentication for critical function in Fortinet FortiProxy versions 7.6.0 through 7.6.1, FortiSwitchManager…
- CVE-2023-25610 — Critical (CVSS 9.8): A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version…
- CVE-2024-55591 — Critical (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0…
- CVE-2023-42789 — Critical (CVSS 9.8): A out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through…
All CVEs affecting Fortinet Fortiproxy →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…