Fortinet on Thursday announced patches for a critical remote code execution vulnerability in FortiOS that may have been exploited in the wild.
The security hole, tracked as CVE-2024-21762, impacts FortiOS versions 6.0, 6.2, 6.4, 7.0, 7.2 and 7.4. Patches have been released for each impacted version, except for 6.0 — 6.0 users are being advised to migrate to a newer version. FortiOS 7.6 is not affected by the vulnerability.
As a workaround, users can disable the SSL VPN feature. Disabling the SSL VPN web mode does not mitigate the vulnerability, Fortinet said.
CVE-2024-21762 appears to be a zero-day, with Fortinet saying that it’s “potentially being exploited in the wild”.
The vulnerability is described as an out-of-bounds write issue that can be exploited by a remote, unauthenticated attacker for arbitrary code execution using specially crafted HTTP requests.
Fortinet has not shared any information on the attacks potentially exploiting CVE-2024-21762, but the company’s advisory came just as it revealed that some customers have yet to patch two older vulnerabilities, CVE-2022-42475 and CVE-2023-27997, which have been exploited in attacks by APTs linked to China and other countries.
The Chinese threat group named Volt Typhoon has been known to target Fortinet devices — in addition to products from Cisco and Netgear — in an effort to ensnare them in a botnet. The US recently disrupted this botnet.
Also on Thursday, Fortinet announced patches for CVE-2024-23113, an internally discovered issue that can be exploited for unauthenticated remote code execution.
Related: Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks
Related: Fortinet Patches Critical Vulnerabilities in FortiSIEM
Related: Fortinet Patches High-Severity Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products