Critical Fortinet RCE Bug Exploit Released: Immediate Patching Required

May 28, 2024

Security researchers have made public a proof-of-concept (PoC) exploit for a critical vulnerability in Fortinet's SIEM solution. This vulnerability, tracked as CVE-2024-23108, is a command injection flaw identified and reported by Zach Hanley, a vulnerability expert from Horizon3. It allows remote command execution as root without any authentication. Fortinet describes the vulnerability as 'Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor' that could allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests. The flaw affects FortiClient FortiSIEM versions 6.4.0 and above and was rectified by Fortinet on February 8, along with another RCE vulnerability (CVE-2024-23109) with a maximum severity score.

Initially, Fortinet denied the existence of these vulnerabilities, stating they were merely duplicates of another flaw (CVE-2023-34992) that was addressed in October. They also claimed the disclosure of the vulnerabilities was due to a 'system-level error' as they were generated mistakenly because of an API issue. Ultimately, Fortinet confirmed that both were variants of CVE-2023-34992 with the same description as the original vulnerability.

More than three months after Fortinet released security updates to fix this flaw, Horizon3's Attack Team shared a PoC exploit and published a technical deep-dive. As per Hanley, 'While the patches for the original PSIRT issue, FG-IR-23-130, attempted to escape user-controlled inputs at this layer by adding the wrapShellToken() utility, there exists a second order command injection when certain parameters to datastore.py are sent.' The PoC exploit released by Horizon3 can execute commands as root on any Internet-exposed and unpatched FortiSIEM appliances.

A PoC exploit for a critical flaw in Fortinet's FortiClient Enterprise Management Server (EMS) software was also released by Horizon3's Attack Team. This software is now being actively exploited. Vulnerabilities in Fortinet are frequently exploited, often as zero-days, in ransomware and cyber espionage attacks targeting corporate and government networks. For example, in February, Fortinet disclosed that Chinese Volt Typhoon hackers utilized two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to deploy the Coathanger remote access trojan (RAT), a malware strain that was also recently used to infiltrate a military network of the Dutch Ministry of Defence.

Related News

• Critical Remote Code Execution Vulnerability in Fortinet Patched
• Active Exploitation of New Fortinet RCE Vulnerability Confirmed by CISA
• Chinese State Actors Deploy 'Coathanger' Malware Targeting FortiGate Devices
• Fortinet Uncovers New Unpatched Patch Bypasses in FortiSIEM
• Critical OS Command Injection Vulnerability Discovered in Fortinet's FortiSIEM

Latest News

• Cisco Addresses High-Severity Vulnerability in Firepower Management Center
• MITRE Corporation Cyber Attack: Hackers Utilize Rogue VMs to Evade Detection
• Google Patches Eighth Actively Exploited Chrome Zero-Day of the Year
• Justice AV Solutions (JAVS) Software Compromised in Supply Chain Attack
• GitLab Patches High-Severity Flaw Allowing Account Takeovers