A recent investigation by Akamai researcher Ben Barnea has revealed significant vulnerabilities in Fortinet’s FortiOS, the operating system powering its VPN and firewall solutions.
These flaws, if exploited, could allow attackers to execute remote code (RCE) or launch denial-of-service (DoS) attacks.
The vulnerabilities, designated as CVE-2024-46666 and CVE-2024-46668, have been addressed by Fortinet through patches released on January 14, 2025.
Legacy Code in FortiOS Exposes Critical Security Flaws
The vulnerabilities stem from Fortinet’s reliance on an outdated version of the Apache apreq library, a module designed for handling client request data.
This version, dating back nearly 25 years, contains multiple security issues such as out-of-bounds (OOB) writes, wild copy flaws, and device-level DoS risks.
These weaknesses make FortiOS devices susceptible to exploitation by unauthenticated attackers.
Exploitation Risks
The identified vulnerabilities include:
- Out-of-Bounds Write of NULL Byte: This flaw could allow attackers to manipulate heap memory, though practical exploitation for RCE is considered challenging due to architectural constraints.
- Wild Copy Vulnerability: A coding error in buffer length calculations could lead to memory corruption. While unlikely to result in RCE, it can destabilize the system.
- Device-Level DoS: By exploiting improper file management in the
/tmp/directory during file uploads, attackers can overwhelm system memory, rendering the device nonfunctional. - Web Server DoS: A NULL pointer dereference vulnerability in the
multipart_buffer_headersfunction can crash the web server when exploited by maliciously crafted requests.
These vulnerabilities are particularly concerning for internet-facing devices such as VPN appliances and firewalls since they serve as critical gateways into organizational networks.
Exploitation could enable attackers to disrupt operations or gain unauthorized access to sensitive systems.
Fortinet has issued patches for these vulnerabilities and advises users to upgrade their FortiOS installations to the latest versions immediately.
Devices running outdated firmware remain at risk of exploitation.
Organizations are also encouraged to restrict public access to management interfaces and monitor for unusual activity that could indicate compromise.
While no evidence of active exploitation has been reported for these specific vulnerabilities, the history of attacks on VPN appliances underscores the importance of proactive defense measures.
Akamai researchers emphasize that legacy codebases like the one used in FortiOS are prime targets for cybercriminals and require rigorous scrutiny.
Fortinet’s swift response highlights the critical need for continuous security research and timely patching to safeguard enterprise networks against evolving threats.
