Multiple critical vulnerabilities affecting Fortinet products are being actively exploited in the wild, primarily targeting FortiOS SSL VPN services and internet-facing security appliances.
Several of these vulnerabilities allow unauthenticated remote code execution, authentication bypass, or credential disclosure, enabling attackers to gain initial access to enterprise environments.
For full details, please see the Fortinet advisories page.
Listed Vulnerabilties
The following Fortinet vulnerabilities are currently associated with active exploitation or widespread scanning activity.
CVE-2024-21762: FortiOS SSL VPN Remote Code Execution (CVSS 9.6)
A vulnerability in FortiOS SSL VPN allows attackers to execute arbitrary code through crafted HTTP requests targeting vulnerable VPN endpoints.
CVE-2023-27997: FortiOS SSL VPN Heap Buffer Overflow (CVSS 9.8)
A heap-based buffer overflow allowing unauthenticated remote code execution on FortiGate devices.
CVE-2022-42475: FortiOS SSL VPN Authentication Bypass (CVSS 9.3)
Allows attackers to bypass authentication controls and execute arbitrary code.
CVE-2024-23113: Format String Vulnerability (CVSS 9.8)
Affects FortiOS, FortiProxy, and FortiWeb products and may allow remote code execution through improper format string handling.
CVE-2022-40684: Administrative Authentication Bypass (CVSS 9.6)
Attackers can bypass authentication using crafted HTTP headers and perform administrative actions on affected devices.
CVE-2023-48788: SQL Injection in FortiClient EMS (CVSS 9.3)
SQL injection vulnerability affecting FortiClient Enterprise Management Server.
CVE-2018-13379: SSL VPN Credential Disclosure (CVSS 9.8)
A path traversal vulnerability allowing attackers to retrieve plaintext SSL VPN credentials stored on FortiGate systems.
Exploitation Flow
A typical attack chain targeting vulnerable Fortinet appliances may involve:
Attackers scanning the internet for exposed FortiGate SSL VPN endpoints.
Once a vulnerable device is identified, the attacker sends specially crafted HTTP requests to exploit remote code execution or authentication bypass vulnerabilities.
Successful exploitation allows attackers to gain administrative access to the device or execute commands on the underlying system.
Attackers may then extract VPN credentials, create new administrative accounts, or modify configurations to maintain persistence.
From the compromised appliance, attackers can pivot into the internal network and conduct further reconnaissance or lateral movement.
Observed Threat Activity
Security researchers and threat intelligence providers have observed active exploitation of Fortinet vulnerabilities across multiple campaigns.
Threat actors frequently scan for exposed SSL VPN portals associated with FortiGate devices and attempt automated exploitation of known vulnerabilities.
Several ransomware groups have historically leveraged Fortinet vulnerabilities as an initial access vector before deploying malware across enterprise environments.
In some incidents, attackers exploited authentication bypass vulnerabilities to create unauthorized administrator accounts on FortiGate devices. In other cases, attackers retrieved stored VPN credentials and used them to authenticate into corporate networks.
The continued exploitation of older vulnerabilities such as CVE-2018-13379 demonstrates that legacy or unpatched devices remain accessible and actively targeted.
Mitigation and Remediation
Organizations operating Fortinet infrastructure should take immediate action to reduce exposure.
Apply Security Updates
Update all affected Fortinet products to the latest patched firmware versions provided by Fortinet.
Identify Exposed Devices
Conduct a comprehensive inventory of Fortinet devices across all environments, including:
- Production networks
- Remote offices
- Development environments
- Legacy infrastructure
Restrict SSL VPN Exposure
Disable SSL VPN services if they are not business-critical.
If VPN access is required, restrict access using network controls and geographic filtering.
Enable Multi-Factor Authentication
Require MFA for all VPN access to reduce the risk of credential-based attacks.
Monitor for Suspicious Activity
Security teams should review logs for:
- Unexpected administrative account creation
- Unauthorized configuration changes
- Suspicious VPN authentication activity
- Unusual outbound connections from Fortinet devices
Stay Safe. Stay Secure
OP Innovate Research Team
