VPN-FORTINET-RCEInitial Access

FortiGate / FortiOS RCE

Recurring pre-auth heap overflow / sslvpnd format-string class CVEs (CVE-2024-21762, CVE-2023-27997) — root on the appliance.

§ Where this technique fits

VPN-FORTINET-RCE is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

FortiGate SSL-VPN pre-auth RCE → config theft
Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.
step 2 / 6

§ What commonly comes next

01
Command and Scripting Interpreter
T1059 · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

FortiGate SSL-VPN pre-auth RCE → config theft

§ What commonly comes next