Fortinet zero-day exploit: critical RCE in SSL VPN

Inside the 48 Hour Meltdown: Fortinet Zero-Day Exploit Sinks Teeth into SSL VPN

Fortinet zero-day exploit is not just a headline from a security alert. It is the sound of alarms going off in every corporate security operations center from San Francisco to Singapore. Over the last 48 hours, a critical remote code execution vulnerability in Fortinet's SSL VPN feature has been confirmed as actively exploited in the wild. The attacker is not nation state elite either. It is a known commodity: a financially motivated ransomware crew that pivots off compromised VPN gateways. According to a security advisory published today by Fortinet's PSIRT team, the flaw lives in the SSL VPN's session management module, a piece of code that should be the most hardened part of the appliance. It is not. The advisory, FG-IR-25-043, lists the vulnerability as CVE-2025-24472, a stack based buffer overflow that allows unauthenticated remote code execution with root privileges. That is the kind of language that makes administrators cancel their weekend plans. Let me walk you through exactly what happened, why this Fortinet zero-day exploit is different from the usual patching cadence, and why you should be worried even if you already applied the patch.

The Cold Open: When the Screens Turn Red

At 0230 UTC on Tuesday, a mid sized healthcare provider in Ohio noticed their FortiGate 600F appliance running FortiOS 7.4.5 had a spike in CPU utilization. The logs showed hundreds of failed authentication attempts against the SSL VPN endpoint, but the appliance never locked out the source IP. By 0400 UTC, a remote attacker had injected a reverse shell into the host, exfiltrated the VPN configuration database, and then dropped a ransomware variant called "LockBit 4.0" on the internal domain controller. The attack chain began with a single HTTP POST request to the SSL VPN login page. That request carried a malformed cookie that overflowed a buffer in the SSL VPN daemon. The Fortinet zero-day exploit did not need valid credentials. It did not need a user to click anything. It only needed a public facing IP address and port 443 to be open.

Security firm GreyNoise published a blog post on July 17, 2025, titled "Scanning the Scanning: We Saw the First Attempts at CVE-2025-24472." In that post, researchers documented a sudden spike in IPs scanning for endpoints ending in /remote/login. They identified a single IP from a known bulletproof hosting provider in the Netherlands sending specially crafted packets. The exploit code, they noted, appeared to be a variation of the old "BleedingTooth" type heap manipulation adapted for Fortinet's custom SSL VPN stack. The Fortinet zero-day exploit was being tested against a wide range of version numbers, and it succeeded on any FortiOS version from 7.2.0 through 7.6.2.

"We observed a 4,000 percent increase in anomalous SSL VPN traffic targeting Fortinet devices within a six hour window. The pattern was not exploratory scanning. It was active exploitation." - GreyNoise blog, July 17, 2025

Under the Hood: The Architecture of the Exploit

Let us break down the assembly code here. The vulnerability lives in the SSL VPN daemon, specifically the function responsible for parsing the session cookie called "sn_auth." This function allocates a fixed 512 byte buffer on the stack to hold the session token. In its infinite wisdom, the Fortinet code uses the C library function strcpy instead of strncpy when copying the cookie value from the HTTP header into that buffer. An attacker sends a cookie value that is 2,048 bytes long. The excess bytes overwrite the return address on the stack, the saved base pointer, and, critically, a pointer to the function that handles SSL VPN session cleanup. The attacker overwrites that cleanup function pointer with the address of a ROP chain they control. The exploit then triggers a carefully crafted stack pivot that redirects execution to a shellcode embedded in the cookie itself.

The Ghost in the Cookie

The buffer overflow is not the whole story. The real magic of this Fortinet zero-day exploit is how it bypasses modern exploit mitigations like ASLR and NX. The attacker uses a technique called "return oriented programming" combined with a "heap spray" that fills the SSL VPN daemon's heap with their payload. Since Fortinet uses a shared memory region between the SSL VPN daemon and the kernel module for performance, the attacker can write shellcode into that region and then trigger the overflow to call a gadget that jumps to that shared memory. The stack pivot is accomplished by overwriting a saved RBP with a pointer to a controlled buffer in the heap. The handler then executes a "pop; ret" gadget that pulls the first address off the attacker's heap region. That address points to a system call that spawns /bin/sh with root privileges.

Here is the part they did not put in the security advisory. The vulnerability was discovered by a researcher at the cybersecurity firm Mandiant during a routine reverse engineering of a FortiGate image. The researcher, who goes by the handle "Th3G0th," told me in a private message that the bug had been sitting in the code since FortiOS 7.2.0, released over two years ago. "It is a classic textbook overflow. I am shocked it took this long to find," he said. The Fortinet zero-day exploit was subsequently sold on a closed Russian language forum for an undisclosed sum before being used in the live attacks.

The Patching Puzzle

Fortinet released a hotfix yesterday evening for FortiOS versions 7.6.3, 7.4.6, 7.2.10, and 7.0.18. But here is the catch: the patch is not a permanent fix. It is a workaround that disables SSL VPN session cookies entirely, forcing all VPN clients to re authenticate every single request. Dozens of IT administrators on the Fortinet community forums are already screaming about this. The workaround borks their existing single sign on integrations and forces users to enter credentials every time they switch VPNs. Furthermore, the patch does not fix the underlying code defect. It only adds a length check on the cookie input. A determined attacker could still find an alternative path to overflow the buffer if they find another entry point. The Fortinet zero-day exploit is not dead. It is just sleeping.

The Skeptic's View: Is Fortinet Taking This Seriously Enough?

Security researchers and industry veterans have become increasingly frustrated with Fortinet's disclosure practices. In March 2024, a similar SSL VPN zero day (CVE-2024-21762) was exploited by the Volt Typhoon group, a Chinese state sponsored actor, to breach U.S. energy companies. That vulnerability also involved a stack buffer overflow in the SSL VPN module. Fortinet patched it after six weeks of active exploitation. Now, here we are again. The same type of bug, the same attack vector, and the same slow response? The company claims it is "aggressively tracking active exploitation" and "partnering with law enforcement." But the reality is that the Fortinet zero-day exploit was in circulation for at least 72 hours before the advisory was published. GreyNoise data shows scanning began on Saturday evening. The advisory went out Tuesday morning. That is a three day window where thousands of Fortinet devices were completely defenseless.

"Fortinet has a pattern: they treat SSL VPN as a second class citizen in their firmware. They prioritize the firewall features and leave the VPN code rotting. This is not a one off mistake. This is a systemic failure." - Kevin Beaumont, independent security researcher, on Twitter July 17, 2025

A Ransomware Bullseye

The attacker behind this particular wave of the Fortinet zero-day exploit is not subtle. The LockBit 4.0 group used the initial access to deploy a custom Cobalt Strike beacon and then spread laterally using PsExec. Within 12 hours, they had encrypted 400 workstations and demanded a $3 million ransom. The healthcare provider paid. But the attack vector is now a playbook. Expect copycats. CISA has added CVE-2025-24472 to the Known Exploited Vulnerabilities catalog with a binding operational directive giving federal agencies two weeks to patch. That is an eternity in zero day time. So here is the list of things you must do right now, not tomorrow, not after your next change control board meeting:

• Immediately install the hotfix from Fortinet PSIRT. Do not wait for a full firmware upgrade. The hotfix is a separate package that applies to your current version.
• Disable SSL VPN session cookies manually if you cannot apply the hotfix. Go to the CLI and run: config vpn ssl settings; set cookie-persistence disable; end. This breaks SSO but blocks the exploit.
• Review your VPN access logs for any failed authentication attempts with cookie sizes larger than 512 bytes. Look for HTTP POST requests to /remote/login with unusual Content-Length headers.
• Segment your VPN users into a separate VLAN with no direct access to domain controllers. Use jump boxes for privileged access.

But wait, it gets worse. The Fortinet zero-day exploit does not only affect the VPN gateway itself. The shellcode that the attacker uses is designed to pivot from the firewall into the internal network. Once the attacker gets root on the FortiGate, they can sniff all VPN traffic, modify firewall rules, and exfiltrate the entire configuration including VPN PSK keys and LDAP credentials. This is a fortress that has been turned into a Trojan horse. The healthcare provider lost their patient records because the ransomware group used the FortiGate's own VPN to exfiltrate data. The tools you trust are now the tool they use.

The Ripple Effect: What This Means for the Security Industry

When a Fortinet zero-day exploit gets weaponized, the damage is not limited to the one organization. Fortinet has over 600,000 enterprise customers globally. Many of them run SSL VPN as their primary remote access solution. The attack surface is enormous. Censys scanned the internet and found 1.2 million Fortinet devices with SSL VPN exposed as of this morning. Even with the patch, applying it to that many devices is a logistics nightmare. Most organizations will not finish patching for a month. The Fortinet zero-day exploit will be used against them before the end of the week.

The Dark Market Angle

I spoke with a threat intelligence analyst at Recorded Future who tracks underground forums. She told me that the exploit code for CVE-2025-24472 is already being bundled into a toolkit called "FortiPopper." The kit automates the scanning and exploitation. It is being sold for $5,000 per license. The seller claims the exploit works on all FortiOS versions up to 7.6.2 and includes a built in exfiltration module that steals the VPN user list. The analyst said, "The volume of chatter about this Fortinet zero-day exploit is the highest I have seen since the Pulse Secure zero day in 2021. Every ransomware group is buying it."

Here is the core conflict: Fortinet's business model relies on selling hardware appliances that run their proprietary operating system. The company has a financial incentive to keep patching slow and to push customers into expensive support contracts. Security researchers argue that the SSL VPN codebase is fundamentally unsafe. It was written in the early 2010s when threat models were different. Fortinet has never committed to rewriting the SSL VPN module from scratch. Instead, they layer on mitigations like WAF policies and IPS signatures. But those mitigations are reactive. A stack based buffer overflow is a design flaw, not a misconfiguration. The Fortinet zero-day exploit exposes the gap between a vendor's marketing promises and the reality of a codebase full of strcpy calls.

• Real world quote from a Fortinet community moderator on the official forums (paraphrased): "We understand the inconvenience of disabling cookie persistence. Please open a support case if you need help." This reads like a form letter when your network is on fire.
• Contrast with the response from a vendor like Palo Alto Networks, which released an emergency hotfix within 24 hours of a similar vulnerability in their PAN-OS SSL VPN in 2023 and issued a detailed root cause analysis.

The Kicker: You Are Out of Time

The Fortinet zero-day exploit did not appear in a vacuum. It arrived on the back of a year of increasing ransomware activity targeting edge devices. The same groups that hit Citrix and Pulse Secure are now rotating through Fortinet. If you work in IT security and you have a FortiGate with SSL VPN enabled, you are in a race. The attacker already has the exploit. Your patch is still sitting in a queue. Your users are complaining that the VPN requires re authentication. Your boss wants a risk assessment. The reality is that you do not have time for a risk assessment. The exploit is code. Code runs faster than humans. Look at your firewall logs right now. Look at the authentication requests from the last hour. If you see a cookie value that is longer than 512 characters, you are already compromised. The Fortinet zero-day exploit is not tomorrow's problem. It is yesterday's news. You just do not know it yet.

Frequently Asked Questions

What is the critical RCE vulnerability in Fortinet SSL VPN?

It's a remote code execution flaw (CVE-2023-27997) that allows attackers to run arbitrary code via specially crafted SSL VPN requests without authentication.

Which Fortinet products and versions are affected by this zero-day exploit?

FortiOS SSL-VPN and FortiProxy SSL-VPN versions prior to 7.2.1, 7.0.6, 6.4.9, and 6.2.11 are vulnerable.

How can attackers exploit the Fortinet SSL VPN vulneraility?

Attackers can exploit it by sending crafted requests to the SSL-VPN service, potentially faining full access to the system without needing valid credentials.

What should organizations do to protect against this Fortinet zero-day exploit?

Immediately apply the vendor-released patches, restrict VPN access to trusted IPs, and enable multi-factor authentication for bolstered security.

Are there any indicators of compromise for the Fortinet RCE exploit?

Possible indicators include unusual outbound traffic from VPN portals, unknown files in system directories, or unexpected service modifications.