Critical Fortinet RCE Bug Exploit Released: Immediate Patching Required

May 28, 2024

Security researchers have made public a proof-of-concept (PoC) exploit for a critical vulnerability in Fortinet's SIEM solution. This vulnerability, tracked as CVE-2024-23108, is a command injection flaw identified and reported by Zach Hanley, a vulnerability expert from Horizon3. It allows remote command execution as root without any authentication. Fortinet describes the vulnerability as 'Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor' that could allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests. The flaw affects FortiClient FortiSIEM versions 6.4.0 and above and was rectified by Fortinet on February 8, along with another RCE vulnerability (CVE-2024-23109) with a maximum severity score.

Initially, Fortinet denied the existence of these vulnerabilities, stating they were merely duplicates of another flaw (CVE-2023-34992) that was addressed in October. They also claimed the disclosure of the vulnerabilities was due to a 'system-level error' as they were generated mistakenly because of an API issue. Ultimately, Fortinet confirmed that both were variants of CVE-2023-34992 with the same description as the original vulnerability.

More than three months after Fortinet released security updates to fix this flaw, Horizon3's Attack Team shared a PoC exploit and published a technical deep-dive. As per Hanley, 'While the patches for the original PSIRT issue, FG-IR-23-130, attempted to escape user-controlled inputs at this layer by adding the wrapShellToken() utility, there exists a second order command injection when certain parameters to are sent.' The PoC exploit released by Horizon3 can execute commands as root on any Internet-exposed and unpatched FortiSIEM appliances.

A PoC exploit for a critical flaw in Fortinet's FortiClient Enterprise Management Server (EMS) software was also released by Horizon3's Attack Team. This software is now being actively exploited. Vulnerabilities in Fortinet are frequently exploited, often as zero-days, in ransomware and cyber espionage attacks targeting corporate and government networks. For example, in February, Fortinet disclosed that Chinese Volt Typhoon hackers utilized two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to deploy the Coathanger remote access trojan (RAT), a malware strain that was also recently used to infiltrate a military network of the Dutch Ministry of Defence.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.