Critical Vulnerability in FortiWLM Grants Hackers Administrative Control

December 19, 2024

Fortinet has revealed a significant vulnerability in its Wireless Manager (FortiWLM) that could allow remote attackers to execute unsanctioned code or commands. The flaw could be exploited through specially crafted web requests, leading to potential device takeover. FortiWLM is a centralized management tool essential for monitoring, managing, and optimizing wireless networks, widely used by large enterprises, educational institutions, healthcare organizations, and government agencies.

The vulnerability, designated as CVE-2023-34990, is a relative path traversal flaw with a severity rating of 9.8. The flaw was identified by Zach Hanley, a researcher at Horizon3, who disclosed it to Fortinet in May 2023. Despite the disclosure, the flaw was not addressed for ten months, prompting Hanley to publicly disclose the vulnerability and a proof of concept on March 14, 2024.

The vulnerability allows unauthenticated attackers to exploit improper input validation in the '/ems/cgi-bin/ezrf_lighttpd.cgi' endpoint. By employing directory traversal techniques in the 'imagename' parameter when the 'op_type' is set to 'upgradelogs,' attackers can access sensitive system log files. These logs often include administrator session IDs, which can be used to hijack admin sessions and gain privileged access, enabling threat actors to take control of devices. 'Abusing the lack of input validation, an attacker can construct a request where the imagename parameter contains a path traversal, allowing the attacker to read any log file on the system,' Hanley explained. 'Luckily for an attacker, the FortiWLM has very verbose logs – and logs the session ID of all authenticated users. Abusing the above arbitrary log file read, an attacker can now obtain the session ID of a user and login and also abuse authenticated endpoints.'

The flaw impacts FortiWLM versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4. Despite the public disclosure by the researcher, the absence of a CVE ID and a security bulletin at the time meant that users were unaware of the risk and the need to upgrade to a safe version. According to a security bulletin published by Fortinet on December 18, 2024, CVE-2023-34990 was addressed in FortiWLM versions 8.6.6 and 8.5.5, released at the end of September 2023.

The vulnerability was a zero-day for about four months, with FortiWLM users only learning about it ten months after its discovery in Hanley's writeup. However, it took Fortinet an additional nine months to release a public security bulletin. Given its use in critical environments, FortiWLM can be an attractive target for attackers, as remote compromise could lead to network-wide disruptions and exposure of sensitive data. Therefore, FortiWLM admins are strongly advised to apply all available updates as they become available.

Latest News

• Active Exploitation of Newly Patched Apache Struts Vulnerability
• The Mask APT Returns with Advanced Cross-Platform Malware Capabilities
• FBI Issues Warning About HiatusRAT Malware Attacks on Web Cameras and DVRs
• High-Severity Windows Kernel Bug Actively Exploited, CISA Warns
• Serbian Government Linked to NoviSpy Spyware Exploiting Qualcomm Zero-Day Vulnerabilities