Over 133,000 Fortinet appliances are still vulnerable to a critical flaw — here’s why you need to patch now

More than 133,000 Fortinet appliances are still vulnerable to a critical bug disclosed in February 2024 affecting its FortiGate product, analysis shows. 

Figures from Shadowserver show that despite calls for customers to patch CVE-2024-21762 when it was disclosed last month, hundreds of thousands of devices exposed to the public internet remain vulnerable.

Given a 9.6 CVSS score, the out-of-bounds write vulnerability affects the SSL VPN component for the FortiGate network appliance, and can allow an attacker to execute arbitrary code or commands via a specially crafted HTTP request.

CVE-2024-21762 was one of a number of critical vulnerabilities affecting Fortinet products disclosed in February during what was a particularly turbulent week for the security giant.

The number of Fortinet appliances vulnerable to CVE-2024-21762 was listed at 150,000 just ten days ago on 7 March, with Shadowserver’s most recent figures demonstrating that while customers are patching, they are not doing so quickly enough.

Almost 55,000 vulnerable devices were located in Asia, making up the lion’s share of those still exploitable via the flaw. North America and Europe were the other two regions with significant portions of vulnerable Fortinet appliances at 35,000 and 28,000 respectively.

Fortinet has advised customers that simply disabling webmode within FortiOS and FortiProxy is not a valid workaround, and that organizations running affected versions should disable SSL VPN.

Fortinet has had a difficult 2024 so far

CVE-2024-21762 was at the forefront of a difficult week for the security company in February, which saw a number of critical vulnerabilities disclosed along with a media storm concerning IoT-enabled toothbrushes.

Fortinet was first broadsided by a story warning of the potential for attackers to use IoT-enabled toothbrushes injected with malware to form a 3 million-strong botnet that could be used to carry out DDoS attacks. 

Although disputed by Fortinet, a war of words ensued between the company and the Swiss newspaper in which the initial claim was published, creating a PR disaster for Fortinet that wasn’t helped by the disclosure of three critical vulnerabilities, including  CVE-2024-21762.

Analysis from attack surface management platform Assetnote noted Fortigate is widely deployed among organizations across the world, and thus a pre-auth RCE vulnerability such as CVE-2024-21762 could have significant consequences.

Researchers at Assetnote said they found little in terms of information around indicators of compromise (IOCs) for CVE-2024-21762, but suggested keeping an eye out for any new Node.js processes could be beneficial considering this is not the first FortiGate exploit using this technique.

The firm also added this is by far from a novel security vulnerability, being another instance of a network appliance having serious memory corruption problems, noting it is once again up to admins to ensure they are applying mitigations as and when they are provided.

“As is often the case with these issues the mitigations are known, it's just whether or not they are applied”