Exploit released for maximum severity Fortinet RCE bug, patch now

​Security researchers have released a proof-of-concept (PoC) exploit for a maximum-severity vulnerability in Fortinet's security information and event management (SIEM) solution, which was patched in February.

Tracked as CVE-2024-23108, this security flaw is a command injection vulnerability discovered and reported by Horizon3 vulnerability expert Zach Hanley that enables remote command execution as root without requiring authentication.

"Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests," Fortinet says.

CVE-2024-23108 impacts FortiClient FortiSIEM versions 6.4.0 and higher and was patched by the company on February 8, together with a second RCE vulnerability (CVE-2024-23109) with a 10/10 severity score.

After first denying that the two CVEs were real and claiming they were actually duplicates of a similar flaw (CVE-2023-34992) fixed in October, Fortinet also said the disclosure of the CVEs was "a system-level error" because they were mistakenly generated due to an API issue.

However, the company eventually confirmed they were both CVE-2023-34992 variants with the same description as the original vulnerability.

On Tuesday, over three months after Fortinet released security updates to patch this security flaw, Horizon3's Attack Team shared a proof-of-concept (PoC) exploit and published a technical deep-dive.

"While the patches for the original PSIRT issue, FG-IR-23-130, attempted to escape user-controlled inputs at this layer by adding the wrapShellToken() utility, there exists a second order command injection when certain parameters to datastore.py are sent," Hanley said.

"Attempts to exploit CVE-2024-23108 will leave a log message containing a failed command with datastore.py nfs test."

The PoC exploit released today by Horizon3 helps execute commands as root on any Internet-exposed and unpatched FortiSIEM appliances.

Horizon3's Attack Team also released a PoC exploit for a critical flaw in Fortinet's FortiClient Enterprise Management Server (EMS) software, which is now actively exploited in attacks.

Fortinet vulnerabilities are frequently exploited—often as zero-days—in ransomware and cyber espionage attacks targeting corporate and government networks.

For instance, the company revealed in February that Chinese Volt Typhoon hackers used two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to deploy the Coathanger remote access trojan (RAT), a malware strain that was also recently used to backdoor a military network of the Dutch Ministry of Defence.