A critical zero‑day vulnerability in Fortinet FortiGate SSL‑VPN enables unauthenticated remote code execution, leading to full device compromise. More than 14 000 devices have been compromised via a symlink‑based persistence mechanism that also leverages prior CVEs (CVE‑2022‑42475, CVE‑2023‑27997, CVE‑2024‑21762).

Impacted Versions:

  • FortiOS 6.4.x, 7.0.x, 7.2.x, 7.4.x and 7.6.x with SSL‑VPN enabled

Vulnerabilities:

  • Zero‑Day (no CVE assigned)
    • Severity: Critical (CVSS v3.1 10.0)
    • Description: Unauthenticated RCE in the SSL‑VPN service allows arbitrary code execution and data extraction.
    • Impact: Full device takeover, data exfiltration, lateral movement.
  • CVE‑2022‑42475 (FG‑IR‑22‑398)
    • Severity: Critical (CVSS v3.1 9.3)
    • Description: Heap‑based buffer overflow in sslvpnd enables unauthenticated RCE.
    • Impact: Unauthorized code execution, data disclosure.
  • CVE‑2023‑27997 (FG‑IR‑23‑097)
    • Severity: Critical (CVSS v3.1 9.2)
    • Description: Heap overflow in SSL‑VPN pre‑auth permits RCE.
    • Impact: Persistent, unauthorized access.
  • CVE‑2024‑21762 (FG‑IR‑24‑015)
    • Severity: Critical (CVSS v3.1 9.6)
    • Description: Out‑of‑bounds write in sslvpnd via crafted HTTP requests allows arbitrary code execution.
    • Impact: Full system compromise, backdoor persistence.

Mitigations:

  • Disable the SSL‑VPN service immediately.
  • Patch to the following versions or later:
    • FortiOS: 6.0.18+, 6.2.16+, 6.4.15+, 7.0.14+, 7.2.7+, 7.4.3+
    • FortiProxy: relevant patched releases
  • Restrict management access to trusted IPs, enforce MFA, and block unnecessary ports.
  • Deploy updated AV/IPS signatures and monitor for malicious symlinks and IOCs.

Resources and Further Reading: