On February 8, 2024, Fortinet issued a security advisory regarding a critical remote code execution (RCE) vulnerability impacting FortiOS SSL VPN. The vulnerability, CVE-2024-21762, allows threat actors to run arbitrary code or commands via specially crafted HTTP requests. 

The FortiOS SSL VPN vulnerability potentially enables threat actors to execute several cyber attacks. Businesses running FortiOS SSL VPN should take immediate remediation steps. 

What happened?

On February 9, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the FortiOS SSL VPN vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and announced attackers were actively exploiting it in the wild.

At the time of publication, CISA’s advisory cautioned that Fortinet had not provided additional details about attacks, but noted that threat actors often exploit vulnerabilities in Fortinet devices.

Fortinet also patched two separate critical RCE vulnerabilities the week of February 9, 2024, potentially creating confusion among businesses regarding which devices were vulnerable to which CVE. 

What should policyholders do?

Businesses running FortiOS SSL VPN should immediately follow the vendor's guidance to patch their devices to the appropriate version. If they cannot immediately patch, they should instead disable ‘sslvpnd’ as a workaround. However, disabling ‘sslvpnd’ will make the VPN device unusable.

As a precautionary measure, we recommend taking impacted Fortinet devices offline until they have been updated to the newest version of FortiOS. Fortinet has provided instructions in their security advisory, which includes a complete list of impacted versions and what patches to apply. 

Coalition external scans cannot detect which firmware version a business is running. Any policyholder with questions or concerns regarding their Fortinet device or the FortiOS SSL VPN vulnerability can contact our Security Support Center. 

Insurance products referenced herein are offered by Coalition Insurance Solutions, Inc. (“CIS”), a licensed insurance producer with its principal place of business in San Francisco, CA (Cal. license #0L76155), acting on behalf of a number of unaffiliated insurance companies. A list of our admitted carriers is available here. Complete license information for CIS is available here. Insurance products offered through CIS may not be available in all states. All insurance products are governed by the terms and conditions set forth in the applicable insurance policy. Please see a copy of your policy for the full terms and conditions. Any information on this communication does not in any way alter, supplement, or amend the terms and conditions of the applicable insurance policy and is intended only as a brief summary of such insurance products. Policy obligations are the sole responsibility of the issuing insurance carrier. The descriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.