FortiOS SSL-VPN out-of-bounds write under active exploitation

CVE-2024-21762 is an out-of-bounds write vulnerability in the SSL-VPN component of Fortinet's FortiOS. It allows a remote, unauthenticated attacker to execute arbitrary code or commands on an affected device by sending specially crafted HTTP requests — carrying a critical CVSS score of 9.8 per the NVD entry.

Why it matters for your perimeter

The SSL-VPN portal is, by design, exposed to the public internet — it's how remote staff reach the network. That makes a pre-authentication flaw in it exactly the kind of foothold ransomware operators look for: no credentials required, reachable from anywhere, and sitting at the edge of the trusted network. Fortinet noted the issue was potentially being exploited in the wild, and CISA added it to its Known Exploited Vulnerabilities (KEV) catalog, signalling confirmed real-world abuse.

Who's affected and what to do

Multiple FortiOS branches are affected; Fortinet's advisory (FG-IR-24-015) lists the exact vulnerable and fixed builds. The primary fix is to upgrade to a patched FortiOS release. Where you can't patch immediately, Fortinet's interim guidance is to disable SSL-VPN until you can. Treat any internet-reachable FortiGate SSL-VPN as urgent, and check logs for signs of exploitation.

If you're not sure whether your FortiGate's SSL-VPN is internet-reachable — or which CVEs your firmware is exposed to — that's exactly what an external firewall pentest answers in minutes.