cbcvebase.
CVE-2024-21762
published 2024-02-09

CVE-2024-21762: A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-02-16
Exploited in the wild
EPSS
80.84%
99.6th percentile
A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortios
fortinetfortios>= 6.0.0 < 6.0.186.0.18
fortinetfortios6.0.0 – 6.0.17
fortinetfortios>= 6.2.0 < 6.2.166.2.16
fortinetfortios6.2.0 – 6.2.15
fortinetfortios>= 6.4.0 < 6.4.156.4.15
fortinetfortios6.4.0 – 6.4.14
fortinetfortios>= 7.0.0 < 7.0.147.0.14
fortinetfortios7.0.0 – 7.0.13
fortinetfortios>= 7.2.0 < 7.2.77.2.7
fortinetfortios7.2.0 – 7.2.6
fortinetfortios>= 7.4.0 < 7.4.37.4.3
fortinetfortios7.4.0 – 7.4.2
fortinetfortiproxy
fortinetfortiproxy>= 1.0.0 < 2.0.142.0.14
fortinetfortiproxy1.0.0 – 1.0.7
fortinetfortiproxy1.1.0 – 1.1.6
fortinetfortiproxy1.2.0 – 1.2.13
fortinetfortiproxy2.0.0 – 2.0.13
fortinetfortiproxy>= 7.0.0 < 7.0.157.0.15
fortinetfortiproxy7.0.0 – 7.0.14
fortinetfortiproxy>= 7.2.0 < 7.2.97.2.9
fortinetfortiproxy7.2.0 – 7.2.8
fortinetfortiproxy>= 7.4.0 < 7.4.37.4.3

Detection & IOCsextracted from sources · hover to see the quote

pathlanguage files folder (SSL-VPN) with symbolic link to root filesystem
  • Look for symbolic links in the SSL-VPN language files folder pointing to the root filesystem — this is the post-exploitation persistence mechanism used after CVE-2024-21762 exploitation.
  • Monitor FortiGate SSL-VPN web panel for unexpected file access via the publicly accessible language files path, which may indicate a symlink-based persistence backdoor.
  • CVE-2024-21762 is exploited via specially crafted HTTP requests to the FortiOS SSL-VPN; monitor for anomalous or malformed HTTP requests targeting SSL-VPN endpoints.
  • CVE-2024-21762 has been linked to Qilin ransomware group operations; correlate FortiGate compromise indicators with downstream ransomware activity.
  • ·Disabling SSL VPN entirely is the only available workaround if patching is not immediately possible; there is no partial mitigation for CVE-2024-21762 short of full SSL-VPN disablement.
  • ·Patching alone does not remove the symlink-based persistence backdoor; admins must also manually inspect and remove malicious symlinks left in the SSL-VPN language files folder.
  • ·FortiOS 7.6 is not affected by CVE-2024-21762; detection and patching efforts should focus on versions 6.0 through 7.4.2.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.