CISA advisory AA24-046A (February 2024) confirmed active exploitation. Volt Typhoon (Chinese state APT) uses FortiGate as their primary initial access vector for critical infrastructure attacks, per CISA advisory AA25-087A.
What the vulnerability is
CVE-2024-21762 is an out-of-bounds write vulnerability in FortiOS SSL-VPN. An unauthenticated remote attacker can execute arbitrary code or commands by sending a crafted HTTP request. No credentials required. No user interaction required.
Affected versions:
- FortiOS 7.4.0 through 7.4.2 — upgrade to 7.4.3+
- FortiOS 7.2.0 through 7.2.6 — upgrade to 7.2.7+
- FortiOS 7.0.0 through 7.0.13 — upgrade to 7.0.14+
- FortiOS 6.4.0 through 6.4.14 — upgrade to 6.4.15+
- FortiOS 6.2.x — upgrade to 6.2.16+
How we detect it passively
Our scanner (vpn_cve.py) checks HTTP response headers and body patterns for FortiGate fingerprints without sending exploit payloads. Specifically:
GET /remote/logincheck HTTP/1.1 Host: target.com Response match: "FortiGate" in header or body Version extraction from: /remote/info endpoint
We then cross-reference the version string against the CVE-2024-21762 patch matrix. If the version falls in an affected range and the SSL-VPN interface is internet-accessible, we flag it CRITICAL.
What Volt Typhoon does after initial access
Volt Typhoon's documented post-exploitation pattern (from CISA/FBI advisories) after FortiGate compromise:
- Extract credentials from FortiGate config (plaintext in memory)
- Establish persistent access via VPN credential reuse
- LOTL (Living off the Land) — use built-in tools, avoid custom malware
- Enumerate internal network, focus on OT/SCADA interfaces
- Pre-position for future disruption — not immediate exfil
The "pre-positioning" aspect is what makes this particularly dangerous for critical infrastructure. Volt Typhoon isn't after immediate data exfiltration — they're establishing persistent access that can be activated during a geopolitical event.
Why it's still unpatched
From our outreach to affected organizations, the pattern we hear:
- Change freeze cycles: FortiGate upgrades require planned maintenance windows; many orgs have quarterly or biannual change freezes
- Version compatibility concerns: SSL-VPN config doesn't always survive upgrades cleanly
- Visibility gap: Security teams often don't know FortiGate versions because it's "the network team's device"
- False confidence: "Our FortiGate is behind a firewall" — the SSL-VPN interface must be internet-accessible to function
Disable SSL-VPN entirely if not actively used: config vpn ssl settings → set status disable. If SSL-VPN is required, restrict source IPs to known locations via firewall policy. Patching is the only permanent fix.
Compliance implications
An unpatched CVE-2024-21762 with a documented active exploit affects compliance posture across frameworks:
- CMMC 2.0 L2: SI.L2-3.14.1 (identify/report flaws), RA.L2-3.11.2 (scan for vulns periodically) — both failed
- NIS2 Art 21(2)(e): "Policies and procedures to assess the effectiveness of cybersecurity risk-management measures" — open CISA-listed CVE on internet-facing device is a clear failure
- HIPAA §164.308(a)(5): Security awareness and training; failure to patch known critical vuln triggers reasonable safeguards question
Enter your domain in the free check at parapetsec.com. Our passive scanner checks FortiGate version banners on your public-facing SSL-VPN endpoints without sending any exploit payloads — no system access required.
Check if your organization is exposed
Our passive scan checks 17 public sources — including VPN version banners, breach databases, and certificate logs — without touching your systems. Results in 48 hours.
GET FREE DOMAIN CHECK →