CVE-2024-21762
Published: 09 February 2024
Summary
CVE-2024-21762 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Fortinet Fortios. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-21762 is an out-of-bounds write vulnerability affecting Fortinet FortiOS versions 7.4.0-7.4.2, 7.2.0-7.2.6, 7.0.0-7.0.13, 6.4.0-6.4.14, 6.2.0-6.2.15 and 6.0.0-6.0.17, as well as FortiProxy versions 7.4.0-7.4.2, 7.2.0-7.2.8, 7.0.0-7.0.14, 2.0.0-2.0.13, 1.2.0-1.2.13, 1.1.0-1.1.6 and 1.0.0-1.0.7. The flaw is tracked as CWE-787 and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers can exploit the issue over the network by sending specially crafted requests, resulting in execution of unauthorized code or commands with full impact on confidentiality, integrity and availability.
Fortinet's advisory FG-IR-24-015 and the CISA Known Exploited Vulnerabilities catalog address the issue and list affected releases.
The vulnerability appears in the CISA KEV catalog, confirming observed in-the-wild exploitation, while its EPSS score remains elevated near 0.93.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-19376
Vulnerability details
A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0…
more
through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests
- CWE(s)
- KEV Date Added
- 09 February 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of vendor patches that remediate the out-of-bounds write in FortiOS/FortiProxy.
Mandates input validation that would reject the specifically crafted requests causing the CWE-787 out-of-bounds write.
Enforces authentication and authorization on network interfaces so unauthenticated attackers cannot reach the vulnerable code paths.