Firmware Update — Critical Security Patch
FortiOS 7.4.x — Security Advisory FG-IR-24-015 ·
Vulnerability Summary
A critical heap-based buffer overflow (CVE-2024-21762) in FortiOS SSL-VPN allows an unauthenticated remote attacker to execute arbitrary code or commands via specially crafted HTTP requests. CVSS score: 9.6.
| Field | Value |
|---|---|
| CVE ID | CVE-2024-21762 |
| Severity | Critical 9.6 |
| Affected versions | FortiOS 7.0.0 – 7.4.2 |
| Fixed version | FortiOS 7.4.3 |
| Attack vector | Network — No auth required |
| Patch type | Out-of-band emergency release |
What this patch addresses
- Heap overflow in SSL-VPN web management interface allowing RCE (CVE-2024-21762)
- Authentication bypass in FortiOS admin panel via crafted cookie (CVE-2024-23113)
- Path traversal in FortiOS file management allowing arbitrary read/write
- Improper certificate validation in FortiGate-to-FortiManager communication
- Memory corruption in IPS engine when processing oversized packet headers
Detected device
ModelFortiGate 100F
SerialFGT1HDTB21900xxx
Current FW7.2.8 — Vulnerable
Target FW7.4.3 — Patched
StatusPatch required
Auto-download in
7
seconds
Download progress