Open Nav
Sign Up

CISA: Fortinet Security Advisories and CVE-2024-21762, CVE-2024-23313 Exploitation

Bar Refael

February 11, 2024

Fortinet has released critical security updates to address vulnerabilities within its FortiOS, specifically targeting remote code execution flaws identified as CVE-2024-21762 and CVE-2024-23313. The Cybersecurity and Infrastructure Security Agency (CISA) has also highlighted the active exploitation of CVE-2024-21762, urging both Federal Civilian Executive Branch (FCEB) agencies and other organizations to apply necessary patches to mitigate potential cyber threats.

Vulnerabilities Overview

  • CVE-2024-21762 [FG-IR-24-015 FortiOS]: An out-of-bounds write vulnerability within the FortiOS Secure Socket Layer Virtual Private Network (SSL VPN) service, allowing remote unauthenticated actors to execute arbitrary commands via specially crafted HTTP requests. This vulnerability is currently being exploited in the wild and has a Critical severity rating with a CVSS score of 9.6. Affected versions include FortiOS 7.4 (before 7.4.2), 7.2 (before 7.2.6), 7.0 (before 7.0.13), 6.4 (before 6.4.14), and 6.2 (before 6.2.15).
  • CVE-2024-23313 [FG-IR-24-029 FortiOS]: Another critical vulnerability with a CVSS score of 9.8, allowing remote code execution through an “externally-controlled format string vulnerability” within the FortiOS fgfmd daemon. This issue has not been reported as exploited in the wild yet.

Threat Actor Exploitation

The exploitation of CVE-2024-21762 has been attributed to advanced persistent threat (APT) groups, with indications of nation-state sponsorship. A report by Fortinet a day prior to the advisory release detailed an espionage campaign by China-backed actors, utilizing known vulnerabilities, including CVE-2024-21762, targeting critical infrastructure and government-adjacent industries. This underscores the strategic targeting by nation-state actors to exploit critical vulnerabilities for espionage and potentially disruptive purposes.

Remediation and Mitigation

Fortinet has issued patches for the affected versions of FortiOS. Organizations using affected versions are urged to upgrade to the latest patched versions immediately. For those unable to upgrade, disabling the SSL VPN service is recommended as a temporary workaround. Adherence to good cyber hygiene practices, including timely patching and following remediation guidance, is emphasized as the best defense against these vulnerabilities.

CISA Advisory and Directives

CISA has added CVE-2024-21762 to its Known Exploited Vulnerabilities Catalog, mandating FCEB agencies to patch the vulnerability by February 16, 2024. While BOD 22-01 specifically targets FCEB agencies, CISA strongly advises all organizations to prioritize the remediation of catalog vulnerabilities to reduce their exposure to cyberattacks.

Analysis and Recommendations

The exploitation of CVE-2024-21762, particularly its active use in the wild and the critical nature of the vulnerability, highlights the ongoing risk posed by unpatched systems. The advisory indicates the significant threat level and the sophistication of attackers exploiting these vulnerabilities. Organizations are recommended to:

  • Immediately apply available patches for affected Fortinet products.
  • Disable SSL VPN services if unable to patch immediately.
  • Review and enhance monitoring for anomalous activity related to FortiOS devices.
  • Consider the broader implications of nation-state actors exploiting such vulnerabilities and assess their cybersecurity posture accordingly.

The active exploitation of CVE-2024-21762 and the issuance of security advisories by Fortinet and CISA underscore the critical need for prompt and effective vulnerability management practices. The involvement of nation-state actors in exploiting these vulnerabilities adds a layer of complexity and urgency to the cybersecurity challenges faced by organizations globally. As such, adherence to recommended mitigation strategies and a proactive security posture are paramount in defending against these and future cybersecurity threats.

Stay safe and informed,
OP Innovate.

Resources highlights

Ivanti EPMM Unauthenticated RCE Actively Exploited (CVE-2026-1340)

CVE-2026-1340 is a critical code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that enables unauthenticated remote code execution (RCE). The flaw has been confirmed…

Read more >

CVE-2026-1340

FortiClient EMS 0-Day Enables RCE (CVE-2026-35616)

Fortinet has confirmed active exploitation of CVE-2026-35616 in the wild. The vulnerability was reportedly leveraged as a zero-day prior to disclosure, indicating that attackers had…

Read more >

CVE-2026-35616

Axios Supply Chain Attack: Malicious npm Releases Deliver Cross-Platform Payload

A software supply chain attack has been identified impacting the widely used axios npm package. On March 31, 2026, two malicious versions, axios@1.14.1 and axios@0.30.4,…

Read more >

axios-npm-supply-chain-attack-malicious-packages

CVE-2026-33017: Langflow Code Injection Vulnerability

A critical vulnerability in Langflow, tracked as CVE-2026-33017, is being actively exploited in the wild and poses a serious risk to organizations using exposed self-hosted…

Read more >

cve-2026-33017

Citrix NetScaler Vulnerabilities Expose Sensitive Data and Session Integrity Risks (CVE-2026-3055 & CVE-2026-4368)

Citrix has released security updates addressing two vulnerabilities in NetScaler ADC and NetScaler Gateway that may allow attackers to leak sensitive data or interfere with…

Read more >

cve-2026-3055

Active Exploitation of Microsoft SharePoint RCE (CVE-2026-20963)

A critical Microsoft SharePoint vulnerability, CVE-2026-20963, is now being actively exploited in the wild. The flaw enables remote code execution (RCE) and has been added…

Read more >

cve-2026-20963
Under Cyber Attack?

Fill out the form and we will contact you immediately.