Vulnerability in 150K+ Fortinet Devices Let Hackers Execute Arbitary Code Remotely

A critical security flaw identified as CVE-2024-21762 has been discovered in Fortinet’s FortiOS and FortiProxy secure web gateway systems, potentially impacting around 150,000 devices worldwide.

The vulnerability allows for unauthenticated remote code execution (RCE) by sending specially crafted HTTP requests to the affected machines.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that attackers actively exploit the flaw, adding it to its Known Exploited Vulnerabilities (KEV) catalog.

Federal Civilian Executive Branch (FCEB) agencies must apply the fixes by February 16, 2024, to secure their networks against potential threats.

CVE-2024-21762 – Devices Affected

The vulnerability affects a wide range of Fortinet’s security appliances, including versions of FortiOS, FortiProxy, FortiSwitchManager, and FortiAnalyzer.

These devices are commonly used by organizations to manage network security, making the flaw particularly concerning because it could grant sensitive information access.

Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

• Interact with malware safely
• Set up virtual machine in Linux and all Windows OS versions
• Work in a team
• Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox:
Analyze malware in ANY.RUN for free

According to the FortiGuard Labs’ security advisory, the vulnerability is the result of an improper limitation of a pathname to a restricted directory, which could be exploited by an unauthenticated attacker via the internet.

This could lead to arbitrary code execution on the underlying operating system of affected devices.

Exploitation of this vulnerability has been reported in the wild, with attackers actively seeking to compromise devices that have not yet been patched.

The flaw’s severity has been underscored by its high CVSS score, which reflects the ease of exploitation and the potential impact on affected systems.

As per the Shadowserver report, more than 150,000 devices have been identified as vulnerable.

Fortinet has released patches for the affected versions and is urging customers to update their devices immediately to mitigate the risk. The affected versions and the corresponding patches can be found on Fortinet’s official advisory page.

BishopFox has made a check script available on GitHub for users and administrators who are unsure if their devices are vulnerable. The script, CVE-2024-21762-check, can be used to determine if a Fortinet device is susceptible to the flaw, facilitating a more efficient response to the threat.

Follow the recommended upgrade guidance.

• Based on fixed versions provided and availability of Fortinet tool at https://docs.fortinet.com/upgrade-tool)
• Disable SSL VPN (disable webmode is NOT a valid workaround) until the upgrade can be performed.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.