Fortinet FortiOS SSL VPN Unauthenticated RCE (CVE-2024-21762)
by d0rb (PoC), vulnerability publicly documented by Fortinet/industry researchers · 2026-05-16
- Severity
- Critical
- CVE
- CVE-2024-21762
- Category
- web
- Affected product
- Fortinet FortiOS SSL VPN (sslvpnd)
- Affected versions
- FortiOS 7.4.0–7.4.2, 7.2.0–7.2.6, 7.0.0–7.0.13, 6.4.0–6.4.14, 6.2.0–6.2.15
- Disclosed
- 2026-05-16
- Patch status
- patched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-16 |
| Author / Researcher | d0rb (PoC), vulnerability publicly documented by Fortinet/industry researchers |
| CVE / Advisory | CVE-2024-21762 |
| Category | web |
| Severity | Critical |
| CVSS Score | 9.6 (CVSSv3) |
| Status | Weaponized |
| Tags | RCE, out-of-bounds-write, SSL-VPN, FortiOS, edge-appliance, unauthenticated, KEV |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Fortinet FortiOS SSL VPN (sslvpnd) |
| Versions Affected | FortiOS 7.4.0–7.4.2, 7.2.0–7.2.6, 7.0.0–7.0.13, 6.4.0–6.4.14, 6.2.0–6.2.15 |
| Language / Platform | FortiOS appliance SSL VPN web interface over HTTP/HTTPS |
| Authentication Required | No |
| Network Access Required | Yes |
Summary
CVE-2024-21762 is a critical out-of-bounds write in FortiOS sslvpnd reachable through the SSL VPN web interface. A remote unauthenticated attacker can send crafted HTTP requests to corrupt memory and potentially achieve remote code execution. Public reporting and government advisories indicate active exploitation in the wild, and the vulnerability is listed in CISA KEV.
Vulnerability Details
Root Cause
The flaw is an out-of-bounds write condition in SSL VPN request processing inside the sslvpnd daemon. Crafted request data can push memory operations outside intended bounds, enabling attacker-controlled memory corruption.
Attack Vector
An attacker with network reachability to exposed FortiOS SSL VPN endpoints sends specially crafted HTTP(S) requests to vulnerable paths (commonly PoC examples use /remote/hostcheck_validate) to trigger the out-of-bounds write and pivot to an ROP-based execution path.
Impact
Successful exploitation can lead to unauthenticated remote code execution on perimeter security appliances. This can result in device takeover, lateral movement, credential access, and persistence from a highly privileged network position.
Environment / Lab Setup
OS: Linux/macOS/Windows attacker host with Python 3
Target: Authorized FortiOS SSL VPN endpoint in vulnerable version range
Attacker: Security testing workstation
Tools: Python 3, socket-capable network access, packet capture (optional)
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Confirm authorized scope and reachable SSL VPN service.
1nc -vz <target-ip-or-hostname> 443Edit target parameters in the PoC (
TARGET_HOST,PORT) for your authorized lab target.1sed -n '1,30p' PoC.pyRun the PoC to send crafted trigger traffic.
1python3 PoC.py
Exploit Code
See
PoC.pyin this folder.
| |
Expected Output
Screenshots / Evidence
screenshots/— add authorized captures (traffic traces, target crash logs, controlled exploit validation)
Detection & Indicators of Compromise
SIEM / IDS Rule (example):
alert http any any -> $HOME_NET 443 (
msg:"Possible FortiOS CVE-2024-21762 exploitation attempt";
flow:to_server,established;
content:"POST"; http_method;
content:"/remote/hostcheck_validate"; http_uri;
sid:952421762; rev:1;
)
Remediation
| Action | Detail |
|---|---|
| Patch | Apply Fortinet fixes from FG-IR-24-015 (upgrade to patched FortiOS trains such as 7.4.3+, 7.2.7+, 7.0.14+, 6.4.15+, 6.2.16+) |
| Workaround | Restrict or disable Internet-exposed SSL VPN where possible until patched |
| Config Hardening | Limit management/VPN exposure to trusted networks, monitor SSL VPN anomalies, and enforce strong admin hygiene |
References
- CVE-2024-21762 — NVD
- Fortinet PSIRT Advisory FG-IR-24-015
- CISA Known Exploited Vulnerabilities Catalog
- Joint CSA: PRC state-sponsored actors compromise and maintain persistent access to U.S. critical infrastructure
- Source Repository — d0rb/CVE-2024-21762
Notes
Auto-ingested from https://github.com/d0rb/CVE-2024-21762 on 2026-05-16.
| |