Fortinet has disclosed a new critical security flaw in FortiOS SSL VPN that it said is likely being exploited in the wild. The vulnerability, CVE-2024-21762 (CVSS score: 9.6), allows for the execution of arbitrary code and commands. "A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests," the company said in a bulletin released Thursday. It further acknowledged that the issue is "potentially being exploited in the wild," without giving additional specifics about how it's being weaponized and by whom. The following versions are impacted by the vulnerability. It's worth noting that FortiOS 7.6 is not affected. FortiOS 7.4 (versions 7.4.0 through 7.4.2) – Upgrade to 7.4.3 or above FortiOS 7.2 (versions 7.2.0 through 7.2.6) – Upgrade to 7.2.7 or above FortiOS 7.0 (versions 7.0.0 through 7.0.13) – Upgrade to 7.0.14 or above FortiOS 6.4 (versions 6.4.0 through 6.4.14) – Upgrade to 6.4.15 or above FortiOS 6.2 (versions 6.2.0 through 6.2.15) – Upgrade to 6.2.16 or above FortiOS 6.0 (versions 6.0 all versions) – Migrate to a fixed release The development comes as Fortinet issued patches for CVE-2024-23108 and CVE-2024-23109, impacting FortiSIEM supervisor, allowing a remote unauthenticated attacker to execute unauthorized commands via crafted API requests. Earlier this week, the Netherlands government revealed a computer network used by the armed forces was…Read More
Fortinet Warns of Critical FortiOS SSL VPN Flaw Likely Under Active Exploitation
