A security audit of Fortinet’s FortiOS VPN conducted by Akamai researcher Ben Barnea has uncovered multiple vulnerabilities that could enable attackers to launch denial-of-service (DoS) attacks and potentially execute remote code (RCE).

The findings, responsibly disclosed to Fortinet, prompted a swift response from the cybersecurity firm, with patches released on January 14, 2025, to address the identified weaknesses.

The vulnerabilities arise from Fortinet’s use of the ‘apreq’ library, an Apache module for handling client request data.

Barnea discovered that Fortinet’s implementation of apreq was based on a nearly 25-year-old version with minimal modifications. This antiquated codebase contained several flaws, including out-of-bounds (OOB) write of NULL byte, wild copy, device DoS, web server DoS, and OOB read.

Multiple Vulnerabilities Uncovered

One of the most concerning vulnerabilities is a device DoS. This vulnerability resides in Fortinet’s code, which uses the library. When a user uploads a file through a form, a new file is created in the /tmp/ directory.

For each file upload, a struct is created and added to a linked list of uploaded files, but only the first file in the linked list is deleted at the end of the parsing.

An attacker can exploit this by repeatedly sending requests with forms containing multiple files, eventually filling the /tmp/ directory, which is stored on RAM.

This leads to a full system out-of-memory (OOM) condition, causing the device to become stuck and nonfunctional until a restart. In some cases, the attack can even cause a network brick, rendering the device unusable even after a reboot.

Another identified vulnerability is a wild copy within the multipart_buffer_read function. This occurs when the code fails to locate the boundary between form fields within the initial data chunk.

As a result, the function returns only part of the internal buffer: (bytes – boundary_length). The error here is that bytes is set to the constant value 5120, whereas the boundary length can be much larger (to the limit of header length).

Thus, by sending a field in which the boundary is not in the first chunk and the boundary length is larger than 5120, we can cause been to be negative. This leads to the code setting self->buffer to before the buffer and self->buffer_len to a larger value.

This can lead to a memory copy operation with a negative size, potentially leading to a “wild copy” scenario where data is written to unintended memory locations.

While potentially leading to RCE, exploitation of such wild-copy would be very difficult, if possible at all, because there is no option to “stop” the wild-copy, and there’s no multithreading, so we can’t overwrite an object that will be used in another thread concurrently.

The vulnerabilities discovered by Barnea have been assigned CVE-2024-46666 and CVE-2024-46668. Fortinet addressed the vulnerabilities discovered by Barnea on January 14, 2025, and devices with up-to-date FortiOS versions are protected from them.

While no critical RCE vulnerabilities were definitively identified, Barnea emphasized the importance of ongoing security research in VPN appliances, given their critical role as gateways into organizational networks.