FortiOS SSL VPN Vulnerability Actively Exploited in the Wild
On February 8, 2024, Fortinet issued a security advisory regarding a critical remote code execution (RCE) vulnerability impacting FortiOS SSL VPN. The vulnerability, CVE-2024-21762, allows threat actors to run arbitrary code or commands via specially crafted HTTP requests.
The FortiOS SSL VPN vulnerability potentially enables threat actors to execute several cyber attacks. Businesses running FortiOS SSL VPN should take immediate remediation steps.
On February 9, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the FortiOS SSL VPN vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and announced attackers were actively exploiting it in the wild.
At the time of publication, CISA’s advisory cautioned that Fortinet had not provided additional details about attacks, but noted that threat actors often exploit vulnerabilities in Fortinet devices.
Fortinet also patched two separate critical RCE vulnerabilities the week of February 9, 2024, potentially creating confusion among businesses regarding which devices were vulnerable to which CVE.
What should policyholders do?
Businesses running FortiOS SSL VPN should immediately follow the vendor's guidance to patch their devices to the appropriate version. If they cannot immediately patch, they should instead disable ‘sslvpnd’ as a workaround. However, disabling ‘sslvpnd’ will make the VPN device unusable.
As a precautionary measure, we recommend taking impacted Fortinet devices offline until they have been updated to the newest version of FortiOS. Fortinet has provided instructions in their security advisory, which includes a complete list of impacted versions and what patches to apply.
Coalition external scans cannot detect which firmware version a business is running. Any policyholder with questions or concerns regarding their Fortinet device or the FortiOS SSL VPN vulnerability can contact our Security Support Center.