Breach report
Fortinet FortiOS SSL VPN: an out-of-bounds write became unauthenticated RCE
What happened
FortiOS powers Fortinet's FortiGate firewalls, whose SSL VPN feature terminates remote-access sessions directly on the public internet. On February 8, 2024, Fortinet disclosed CVE-2024-21762, an out-of-bounds write in the SSL VPN daemon (SSLVPNd) that lets a remote, unauthenticated attacker "execute arbitrary code or commands" via specially crafted HTTP requests. The advisory shipped with evidence of exploitation in the wild, and CISA added the flaw to its Known Exploited Vulnerabilities catalog on February 9, 2024 — within roughly a day of disclosure. Affected builds spanned FortiOS 6.0 through 7.4.2 and FortiProxy 1.0 through 7.4.2.
Because the vulnerable service is an internet-facing VPN concentrator, a single crafted request could hand an attacker code execution on the security appliance that is supposed to be the perimeter.
Root cause
The defect is a memory-safety bug — an out-of-bounds write, CWE-787, the #2 entry on the 2024 CWE Top 25. The SSL VPN request parser wrote past the bounds of a buffer while handling attacker-controlled input, corrupting memory in a way that could be steered into arbitrary code execution. No authentication was required to reach the vulnerable code path.
How it would have been caught
Memory-safety bugs in C/C++ network daemons surface under fuzzing (AFL++, libFuzzer) and address-sanitizer builds, which flag the out-of-bounds write on a malformed request long before an attacker weaponizes it. A reproduction fires the crafted HTTP request at the SSL VPN endpoint and confirms it corrupts memory or crashes the daemon rather than being safely rejected.
How to prevent it
- Fuzz internet-facing parsers and build with ASan/bounds-checking in CI; a crash on malformed input is a finding, not noise.
- Validate and bound every length and offset taken from untrusted input before writing to a buffer.
- Patch edge devices immediately and disable unused features (Fortinet advised disabling SSL VPN if patching had to wait) — edge CVEs are weaponized within days.
The Breachwire test (red → green)
Send the malformed SSL VPN request and confirm it triggers the out-of-bounds write (crash or code execution) — the RED control. Apply the bounds check on the parsed length, then confirm the same request is rejected as malformed while legitimate VPN handshakes still complete.