CISA Reports Active Exploitation of Critical Fortinet RCE Flaw

October 9, 2024

CISA has reported that a critical remote code execution (RCE) vulnerability in Fortinet's FortiOS, identified as CVE-2024-23113, is currently being exploited by attackers. The vulnerability is due to the fgfmd daemon, which accepts an externally controlled format string as an argument. This allows unauthenticated threat actors to execute commands or arbitrary code on unpatched devices, with attacks requiring low complexity and no user interaction.

The fgfmd daemon, which is vulnerable, operates on FortiGate and FortiManager, managing all authentication requests and handling keep-alive messages between them, as well as instructing other processes to update files or databases. The CVE-2024-23113 flaw affects FortiOS 7.0 and later, FortiPAM 1.0 and higher, FortiProxy 7.0 and above, and FortiWeb 7.4.

In February, Fortinet disclosed and patched this security flaw, advising administrators to remove access to the fgfmd daemon for all interfaces as a mitigation measure to prevent potential attacks. "Note that this will prevent FortiGate discovery from FortiManager. Connection will still be possible from FortiGate," Fortinet stated. They also noted that a local-in policy that only permits FGFM connections from a specific IP will reduce the attack surface but won't completely prevent the vulnerability from being exploited from this IP.

Although Fortinet has not yet updated its February advisory to confirm the exploitation of CVE-2024-23113, CISA included the vulnerability in its Known Exploited Vulnerabilities Catalog on Wednesday. U.S. federal agencies are now also mandated to secure FortiOS devices on their networks against these ongoing attacks by October 30, as required by the binding operational directive (BOD 22-01) issued in November 2021. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the cybersecurity agency warned.

The Dutch Military Intelligence and Security Service (MIVD) issued a warning in June that Chinese hackers exploited another critical FortiOS RCE vulnerability, CVE-2022-42475, between 2022 and 2023 to breach and infect at least 20,000 Fortigate network security appliances with malware.

Related News

• NoName Ransomware Gang Expands Tactics, Now Deploying RansomHub Malware
• Chinese Cyber Espionage Group UNC3886 Exploits Fortinet and VMware Zero-Days
• Chinese Cyber-Espionage Campaign Breaches 20,000 FortiGate Systems Globally: MIVD
• Critical Fortinet RCE Bug Exploit Released: Immediate Patching Required
• Active Exploitation of New Fortinet RCE Vulnerability Confirmed by CISA

Latest News

• Casio Hit by Underground Ransomware Gang: Stolen Data Leaked
• Hackers Exploit GitHub and GitLab Platforms to Distribute Malware
• Palo Alto Networks Urges Customers to Patch Firewall Vulnerabilities
• Emergency Security Update Issued by Mozilla for Firefox Zero-Day Exploited in Attacks
• Automated Scanner Developed to Detect Servers Vulnerable to CUPS RCE Attacks