CVE-2024-23662 Overview
CVE-2024-23662 is an information disclosure vulnerability affecting multiple versions of Fortinet FortiOS. The flaw allows an unauthenticated remote attacker to obtain sensitive information by sending crafted HTTP requests to vulnerable devices. The issue is tracked under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor and is documented in the FortiGuard Security Advisory FG-IR-23-224.
Critical Impact
An unauthenticated network attacker can retrieve sensitive information from affected FortiOS devices through HTTP requests, with no privileges or user interaction required.
Affected Products
- Fortinet FortiOS 7.4.0 through 7.4.1
- Fortinet FortiOS 7.2.0 through 7.2.5 and 7.0.0 through 7.0.15
- Fortinet FortiOS 6.4.0 through 6.4.15
Discovery Timeline
- 2024-04-09 - CVE-2024-23662 published to the National Vulnerability Database (NVD)
- 2024-12-11 - Last updated in NVD database
Technical Details for CVE-2024-23662
Vulnerability Analysis
The vulnerability is an Information Disclosure issue in Fortinet FortiOS classified under [CWE-200]. An unauthorized actor can elicit sensitive data from the device by issuing HTTP requests to an exposed management or service interface. The flaw is network-reachable, requires no authentication, and requires no user interaction, making it trivial to weaponize against internet-facing FortiGate appliances.
The disclosed data category is not enumerated in the advisory, but [CWE-200] commonly covers leakage of configuration data, internal identifiers, session artifacts, or other server-side state. Attackers typically chain such disclosures with subsequent authenticated or protocol-level exploits to escalate impact.
Root Cause
The root cause is improper restriction of sensitive response content within the FortiOS HTTP handling path. The service returns data that should be limited to authenticated or privileged contexts when processing specific HTTP requests. Fortinet has not published exploit-level technical details, instead remediating affected branches through their PSIRT advisory.
Attack Vector
The attack vector is network-based. An attacker reaches the affected HTTP service on the FortiGate device and issues requests that trigger the disclosure. Because the integrity and availability impact is none, this vulnerability is purely confidentiality-affecting and is most useful as a reconnaissance or pre-attack primitive. Refer to the FortiGuard advisory FG-IR-23-224 for vendor guidance.
Detection Methods for CVE-2024-23662
Indicators of Compromise
- Unexpected HTTP GET or POST requests to FortiOS administrative or service endpoints from untrusted sources.
- HTTP responses from FortiGate devices containing unusually large payloads or sensitive content correlated with unauthenticated sessions.
- Repeated probing patterns from a single source IP targeting FortiOS HTTP listeners.
Detection Strategies
- Inspect FortiGate HTTP/HTTPS access logs for anomalous request paths and unauthenticated traffic to management interfaces.
- Correlate firewall logs with threat intelligence feeds for known Fortinet scanning infrastructure.
- Deploy network IDS signatures targeting reconnaissance patterns against FortiOS service endpoints.
Monitoring Recommendations
- Forward FortiOS event and traffic logs to a centralized SIEM for retention and correlation against historical baselines.
- Alert on any administrative interface access originating from outside approved management networks.
- Track FortiOS firmware version inventory continuously to confirm patched builds remain deployed.
How to Mitigate CVE-2024-23662
Immediate Actions Required
- Identify all FortiGate devices and inventory the running FortiOS version against the affected ranges above.
- Restrict access to FortiOS administrative HTTP and HTTPS interfaces to trusted management networks only.
- Apply the fixed FortiOS releases referenced in the FortiGuard advisory FG-IR-23-224 as soon as a maintenance window permits.
Patch Information
Fortinet has released fixed builds for affected FortiOS branches. Consult the FortiGuard Security Advisory FG-IR-23-224 for the exact fixed version corresponding to each branch (7.4.x, 7.2.x, 7.0.x, and 6.4.x) and upgrade paths.
Workarounds
- Disable HTTP/HTTPS administrative access on untrusted interfaces using config system interface and removing http and https from allowaccess.
- Enforce trusted-host restrictions on administrative accounts via config system admin to limit source IPs.
- Place FortiGate management interfaces behind a VPN or jump host until patching is complete.
# Configuration example: restrict admin HTTP/HTTPS access on a WAN interface
config system interface
edit "wan1"
set allowaccess ping
next
end
# Restrict admin source IPs via trusted hosts
config system admin
edit "admin"
set trusthost1 10.0.0.0 255.255.255.0
next
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

