CVE-2024-3661

HIGH

FortiClient 6.4.0-7.2.4 - Unauthenticated VPN Traffic Leak via DHCP Classless Static Route Option

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-3661. PoCs published by YardenFadida, Roundthe-clock, Wh1t3Fox.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-3661, which involves a DHCP Option 121 injection attack. The exploit uses NetfilterQueue to intercept and modify DHCP traffic, injecting custom routes to redirect traffic through an attacker-controlled gateway.

Description

DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN.

Exploits (3)

nomisec WORKING POC
by Roundthe-clock · poc
https://github.com/Roundthe-clock/CVE-2024-3661VPN

This repository contains a functional exploit for CVE-2024-3661, which involves a DHCP Option 121 injection attack. The exploit uses NetfilterQueue to intercept and modify DHCP traffic, injecting custom routes to redirect traffic through an attacker-controlled gateway.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Complex
Reliability
Reliable
Target: DHCP servers (specific version not specified)
No auth needed
Prerequisites: IP forwarding enabled · iptables rules set up · ARP spoofing running · root privileges
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by Wh1t3Fox · poc
https://github.com/Wh1t3Fox/CVE-2024-3661

This repository contains functional exploit code for CVE-2024-3661, demonstrating DHCP starvation and malicious DHCP server attacks using Scapy. The scripts include DHCP offer manipulation with Option 121 and IPv6 Router Advertisement spoofing.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: DHCP servers (unspecified version)
No auth needed
Prerequisites: Network access to DHCP server · Scapy library · Python environment
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (20)

Core 20
Core References
Third Party Advisory, Vendor Advisory
https://bst.cisco.com/quickview/bug/CSCwk05814
Exploit, Third Party Advisory
https://tunnelvisionbug.com/
Mitigation, Third Party Advisory, Vendor Advisory
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00009

Scores

CVSS v3 7.6
EPSS 0.0406
EPSS Percentile 89.4%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-306 CWE-501
Status published
Products (12)
cisco/anyconnect_vpn_client
cisco/secure_client
citrix/secure_access_client < 24.06.1
f5/big-ip_access_policy_manager 7.2.3 - 7.2.5
fortinet/forticlient 7.4.0 (3 CPE variants)
fortinet/forticlient 6.4.0 - 7.2.5 (3 CPE variants)
paloaltonetworks/globalprotect (4 CPE variants)
watchguard/ipsec_mobile_vpn_client (2 CPE variants)
watchguard/mobile_vpn_with_ssl (2 CPE variants)
zscaler/client_connector
... and 2 more
Published May 06, 2024
Tracked Since Feb 18, 2026