T
Threats
Fortinet FortiGate SSL‑VPN Zero‑Day Arbitrary Code Execution
Summary
A critical zero‑day vulnerability in Fortinet FortiGate SSL‑VPN enables unauthenticated remote code execution, leading to full device compromise. More than 14 000 devices have been compromised via a symlink‑based persistence mechanism that also leverages prior CVEs (CVE‑2022‑42475, CVE‑2023‑27997, CVE‑2024‑21762).
Impacted Versions:
FortiOS 6.4.x, 7.0.x, 7.2.x, 7.4.x and 7.6.x with SSL‑VPN enabled
Vulnerabilities:
Zero‑Day (no CVE assigned)
Severity: Critical (CVSS v3.1 10.0)
Description: Unauthenticated RCE in the SSL‑VPN service allows arbitrary code execution and data extraction.
Impact: Full device takeover, data exfiltration, lateral movement.
CVE‑2022‑42475 (FG‑IR‑22‑398)
Severity: Critical (CVSS v3.1 9.3)
Description: Heap‑based buffer overflow in sslvpnd enables unauthenticated RCE.
Impact: Unauthorized code execution, data disclosure.
CVE‑2023‑27997 (FG‑IR‑23‑097)
Severity: Critical (CVSS v3.1 9.2)
Description: Heap overflow in SSL‑VPN pre‑auth permits RCE.
Impact: Persistent, unauthorized access.
CVE‑2024‑21762 (FG‑IR‑24‑015)
Severity: Critical (CVSS v3.1 9.6)
Description: Out‑of‑bounds write in sslvpnd via crafted HTTP requests allows arbitrary code execution.
Impact: Full system compromise, backdoor persistence.
Mitigations:
Disable the SSL‑VPN service immediately.
Patch to the following versions or later:
FortiOS: 6.0.18+, 6.2.16+, 6.4.15+, 7.0.14+, 7.2.7+, 7.4.3+
FortiProxy: relevant patched releases
Restrict management access to trusted IPs, enforce MFA, and block unnecessary ports.
Deploy updated AV/IPS signatures and monitor for malicious symlinks and IOCs.
