● Critical · CVSS 9.6 ⚠ ACTIVELY EXPLOITED — CISA KEV

How to Fix CVE-2024-21762: Fortinet FortiOS sslvpnd Out-of-Bounds Write

*By Sai Kiran Pandrala*

⚡ At a glance


Severity	CVSS 9.6, Critical
Actively exploited?	Yes, listed in CISA KEV. Hundreds of thousands of FortiGates were exposed at disclosure.
Affected	FortiOS 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, and 6.0.x. FortiProxy similar matrix.
Fixed in	FortiOS 7.4.3, 7.2.7, 7.0.14, 6.4.15, 6.2.16 (and later) per FG-IR-24-015
Type (CWE)	Out-of-bounds Write

⚠️ One of the most widely-exposed FortiGate CVEs in recent history. Patch or disable SSL VPN immediately if you haven't already.

What is CVE-2024-21762?

The SSL VPN daemon (sslvpnd) in FortiOS has an out-of-bounds write vulnerability. An unauthenticated remote attacker who can reach the SSL VPN port (TCP 443 in most deployments) can send specifically crafted requests to trigger the OOB write and achieve remote code execution as root on the FortiGate.

At disclosure, security researchers estimated that approximately 150, 000 internet-exposed FortiGates were running affected, internet-reachable SSL VPN endpoints. Real-world exploitation reports followed quickly.

Am I affected?

You are affected if you run FortiOS with SSL VPN enabled at:

7.4.x: below 7.4.3
7.2.x: below 7.2.7
7.0.x: below 7.0.14
6.4.x: below 6.4.15
6.2.x: below 6.2.16
6.0.x: end-of-life, migrate

FortiProxy has a parallel matrix, check FG-IR-24-015 for exact builds.

Check FortiOS version:


get system status

Check whether SSL VPN is enabled:


show vpn ssl settings | grep status

How to fix CVE-2024-21762

Open Fortinet PSIRT FG-IR-24-015.
Download the patched firmware.
Back up the configuration.
For HA pairs, upgrade secondary, fail over, upgrade primary.
Apply firmware via GUI or CLI. Reboot when prompted.
Verify with get system status.

Apply the iOS / iPadOS update


# Check the current iOS build on a tethered device (libimobiledevice)
ideviceinfo -k ProductVersion
ideviceinfo -k BuildVersion

# Required iOS / iPadOS build is listed in the vendor advisory: https://fortiguard.com/psirt/FG-IR-24-015
# On-device: Settings -> General -> Software Update -> Download and Install


# Vendor advisory: https://www.fortiguard.com/psirt/FG-IR-24-015
# Confirm fleet iOS devices have updated (Intune example)
Connect-MgGraph -Scopes Device.Read.All
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'iOS'" |
  Where-Object { $_.OSVersion -lt "<fixed-version-from-advisory>" } |
  Select-Object DeviceName, OSVersion, UserPrincipalName

Verify the fix landed


# 1. Confirm the running version matches the fixed-in version from the advisory:
#    https://fortiguard.com/psirt/FG-IR-24-015
#    Use the platform-specific version probe above.

# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
#    The scanner should no longer flag CVE-2024-21762 on the patched target.

# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"

If you can't patch immediately

Fortinet documented a clear interim mitigation: disable SSL VPN.


config vpn ssl settings
    unset port
    unset source-interface
end

If you absolutely need SSL VPN online, restrict source-interface to only the WAN you're certain of, and consider geo-blocking at any upstream firewall while you finish patching.

How to verify the fix worked

get system status shows the patched build. Run a vulnerability scan against the SSL VPN endpoint — CVE-2024-21762 detection should clear.

Frequently asked questions

Is CVE-2024-21762 actively exploited?

Yes. CVE-2024-21762 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2024-21762?

Critical. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://www.fortiguard.com/psirt/FG-IR-24-015

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

Official Fortinet PSIRT FG-IR-24-015: https://www.fortiguard.com/psirt/FG-IR-24-015
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21762
CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from Fortinet PSIRT FG-IR-24-015, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Fortinet's advisory before applying changes in production.*

Other vulnerabilities in the same area that are worth patching alongside this one:

How to Fix CVE-2024-21812: libbiosig (Bundle Sibling) — libbiosig (Bundle Sibling)
How to Fix CVE-2024-23113: Fortinet FortiOS Format String fgfmd , Fortinet FortiOS Format String fgfmd
How to Fix CVE-2024-55591: Fortinet FortiOS/FortiProxy Authentication Bypass , Fortinet FortiOS/FortiProxy Authentication Bypass
How to Fix CVE-2024-23310: libbiosig (Bundle Sibling) , libbiosig (Bundle Sibling)
How to Fix CVE-2024-20418: Command Injection in Cisco Aironet Access Point Software (IOS XE Controller) , Command Injection in Cisco Aironet Access Point Software (IOS XE Controller)