The NCSC would like to draw your attention to the vulnerabilities CVE-2024-21762(external link) and CVE-2024-23113(external link) affecting FortiOS SSL VPN. Fortinet is aware of potential exploitation of CVE-2024-21762 in the wild.
- CVE-2024-21762 is an out-of-bounds vulnerability in SSL VPN and may allow a remote unauthenticated attacker to execute arbitrary code and commands via specially crafted HTTP requests.
- CVE-2024-23113 is a format string bug in the FortiOS fgfmd daemon and may allow a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests.
Patches are available and the following product versions are affected:
- FortiOS 7.4.0 through 7.4.2
- FOrtiOS 7.2.0 through 7.2.6
- FortiOS 7.0.0 through 7.0.13
- FortiOS 6.4.0 through 6.4.14
- FortiOS 6.2.0 through 6.2.15
- FortiOS 6.0 all versions
The NCSC encourages organisations in New Zealand that use the affected products to review the vendor advisories (CVE-2024-21762(external link) and CVE-2024-23113(external link)) and to apply the relevant patches as soon as possible if they have not done so already.
Fortinet also recommends mitigating the flaw by disabling SSL VPN on your FortiOS devices. The NCSC recommends organisations consider the need to expose the fgfm daemon (port 541) to the internet for inbound connections.
If your organisation has seen or does see evidence of compromise related to CVE-2024-21762 and CVE-2024-23113, please contact incidents@ncsc.govt.nz.
For more NCSC NZ updates, follow us on LinkedIn.(external link)