On the 9th of October, CISA revealed a critical vulnerability in Fortinet’s FortiOS, tracked as CVE-2024-23113, being actively exploited in the wild by attackers to achieve Remote Code Execution(RCE). CISA has since added it to its Known Exploited Vulnerabilities Catalogue and ordered US Federal agencies to patch it within 3 weeks.
The root cause of the flaw is the fgfmd daemon which runs of FortiGate and FortiMangager, handling all authentication requests and managing keep-alive messages between them. This daemon accepts externally controlled format strings as arguments which become a conduit for arbitrary command execution on unpatched devices. This vulnerability is easy to exploit with a low complexity and requires no user interaction on the victim’s part, making it a critical-severity RCE flaw.
CVE-2024-23113 impacts FortiOS 7.0 and later, FortiPAM 1.0 and higher, FortiProxy 7.0 and above, and FortiWeb 7.4.
Fortinet released a patch for this flaw in February, also advising that admins revoke access to the fgfmd daemon for all interfaces as an additional mitigative measure.
Leave a Reply