Cyber Resilience

CVE-2024-21762

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 09 February 2024

Published
09 February 2024
Modified
24 October 2025
KEV Added
09 February 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9267 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21762 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Fortinet Fortios. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-21762 is an out-of-bounds write vulnerability affecting Fortinet FortiOS versions 7.4.0-7.4.2, 7.2.0-7.2.6, 7.0.0-7.0.13, 6.4.0-6.4.14, 6.2.0-6.2.15 and 6.0.0-6.0.17, as well as FortiProxy versions 7.4.0-7.4.2, 7.2.0-7.2.8, 7.0.0-7.0.14, 2.0.0-2.0.13, 1.2.0-1.2.13, 1.1.0-1.1.6 and 1.0.0-1.0.7. The flaw is tracked as CWE-787 and carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers can exploit the issue over the network by sending specially crafted requests, resulting in execution of unauthorized code or commands with full impact on confidentiality, integrity and availability.

Fortinet's advisory FG-IR-24-015 and the CISA Known Exploited Vulnerabilities catalog address the issue and list affected releases.

The vulnerability appears in the CISA KEV catalog, confirming observed in-the-wild exploitation, while its EPSS score remains elevated near 0.93.

EU & UK References

Vulnerability details

A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0…

more

through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests

CWE(s)
KEV Date Added
09 February 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortiproxy
1.0.0 — 2.0.14 · 7.0.0 — 7.0.15 · 7.2.0 — 7.2.9
fortinet
fortios
6.0.0 — 6.0.18 · 6.2.0 — 6.2.16 · 6.4.0 — 6.4.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of vendor patches that remediate the out-of-bounds write in FortiOS/FortiProxy.

prevent

Mandates input validation that would reject the specifically crafted requests causing the CWE-787 out-of-bounds write.

prevent

Enforces authentication and authorization on network interfaces so unauthenticated attackers cannot reach the vulnerable code paths.

References