Open Nav
Sign Up

CISA: Fortinet Security Advisories and CVE-2024-21762, CVE-2024-23313 Exploitation

Bar Refael

February 11, 2024

Fortinet has released critical security updates to address vulnerabilities within its FortiOS, specifically targeting remote code execution flaws identified as CVE-2024-21762 and CVE-2024-23313. The Cybersecurity and Infrastructure Security Agency (CISA) has also highlighted the active exploitation of CVE-2024-21762, urging both Federal Civilian Executive Branch (FCEB) agencies and other organizations to apply necessary patches to mitigate potential cyber threats.

Vulnerabilities Overview

  • CVE-2024-21762 [FG-IR-24-015 FortiOS]: An out-of-bounds write vulnerability within the FortiOS Secure Socket Layer Virtual Private Network (SSL VPN) service, allowing remote unauthenticated actors to execute arbitrary commands via specially crafted HTTP requests. This vulnerability is currently being exploited in the wild and has a Critical severity rating with a CVSS score of 9.6. Affected versions include FortiOS 7.4 (before 7.4.2), 7.2 (before 7.2.6), 7.0 (before 7.0.13), 6.4 (before 6.4.14), and 6.2 (before 6.2.15).
  • CVE-2024-23313 [FG-IR-24-029 FortiOS]: Another critical vulnerability with a CVSS score of 9.8, allowing remote code execution through an “externally-controlled format string vulnerability” within the FortiOS fgfmd daemon. This issue has not been reported as exploited in the wild yet.

Threat Actor Exploitation

The exploitation of CVE-2024-21762 has been attributed to advanced persistent threat (APT) groups, with indications of nation-state sponsorship. A report by Fortinet a day prior to the advisory release detailed an espionage campaign by China-backed actors, utilizing known vulnerabilities, including CVE-2024-21762, targeting critical infrastructure and government-adjacent industries. This underscores the strategic targeting by nation-state actors to exploit critical vulnerabilities for espionage and potentially disruptive purposes.

Remediation and Mitigation

Fortinet has issued patches for the affected versions of FortiOS. Organizations using affected versions are urged to upgrade to the latest patched versions immediately. For those unable to upgrade, disabling the SSL VPN service is recommended as a temporary workaround. Adherence to good cyber hygiene practices, including timely patching and following remediation guidance, is emphasized as the best defense against these vulnerabilities.

CISA Advisory and Directives

CISA has added CVE-2024-21762 to its Known Exploited Vulnerabilities Catalog, mandating FCEB agencies to patch the vulnerability by February 16, 2024. While BOD 22-01 specifically targets FCEB agencies, CISA strongly advises all organizations to prioritize the remediation of catalog vulnerabilities to reduce their exposure to cyberattacks.

Analysis and Recommendations

The exploitation of CVE-2024-21762, particularly its active use in the wild and the critical nature of the vulnerability, highlights the ongoing risk posed by unpatched systems. The advisory indicates the significant threat level and the sophistication of attackers exploiting these vulnerabilities. Organizations are recommended to:

  • Immediately apply available patches for affected Fortinet products.
  • Disable SSL VPN services if unable to patch immediately.
  • Review and enhance monitoring for anomalous activity related to FortiOS devices.
  • Consider the broader implications of nation-state actors exploiting such vulnerabilities and assess their cybersecurity posture accordingly.

The active exploitation of CVE-2024-21762 and the issuance of security advisories by Fortinet and CISA underscore the critical need for prompt and effective vulnerability management practices. The involvement of nation-state actors in exploiting these vulnerabilities adds a layer of complexity and urgency to the cybersecurity challenges faced by organizations globally. As such, adherence to recommended mitigation strategies and a proactive security posture are paramount in defending against these and future cybersecurity threats.

Stay safe and informed,
OP Innovate.

Resources highlights

Critical Zero-Day in Microsoft SharePoint Actively Exploited (CVE-2025-53770)

A newly discovered zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, is currently being exploited in active attacks against on-premises environments. The flaw, rated…

Read more >

CVE-2025-53770

Over 600 Laravel Applications Vulnerable to Remote Code Execution via Leaked APP_KEYs (CVE-2018-15133, CVE-2024-55556)

Security researchers have uncovered a major RCE threat affecting over 600 Laravel applications, triggered by leaked APP_KEYs found on public GitHub repositories. Laravel's APP_KEY, typically…

Read more >

CVE-2018-15133, CVE-2024-55556

CVE-2025-3648: “Count(er) Strike” Vulnerability in ServiceNow

CVE-2025-3648, dubbed “Count(er) Strike”, is a high-severity vulnerability (CVSS 8.2) in ServiceNow's Now Platform, discovered by Varonis Threat Labs. The flaw allows both authenticated and…

Read more >

CVE-2025-3648

What to Look for in a Pentesting Platform (Beyond Just Scans)

Penetration testing platforms are a great way to centralize vulnerability discovery and triage. However, when evaluating penetration testing platforms, many organizations make the mistake of…

Read more >

pentesting platform

CVE-2016-10033: Actively Exploited Remote Code Execution (RCE) Vulnerability in PHPMailer

CVE-2016-10033 is a critical remote code execution vulnerability in PHPMailer, a widely used PHP library for sending emails. The flaw lies in the mailSend function…

Read more >

CVE-2016-10033

High-Severity WordPress Vulnerability in Forminator Plugin (CVE-2025-6463)

A critical vulnerability in the Forminator plugin, one of the most popular form-building plugins in Wordpress, allows unauthenticated attackers to delete arbitrary files on the…

Read more >

CVE-2025-6463
Under Cyber Attack?

Fill out the form and we will contact you immediately.