An exploit has been released for a maximum-severity vulnerability in Fortinet’s security information and event management (SIEM) solution, FortiSIEM. Tracked as CVE-2024-23108, this command injection vulnerability enables remote command execution as root without authentication, posing significant security risks. The vulnerability impacts FortiSIEM versions 6.4.0 and higher and was patched by Fortinet in February, along with another RCE vulnerability (CVE-2024-23109) with a severity score of 10/10.
Initially, Fortinet denied the legitimacy of the CVEs, claiming they were duplicates of a previously fixed flaw. However, they later confirmed them as variants of the original vulnerability. Despite Fortinet’s efforts to mitigate the vulnerability through patches, Horizon3’s Attack Team released a proof-of-concept exploit, exacerbating the risk for unpatched FortiSIEM appliances. This exploit allows attackers to execute commands as root on Internet-exposed devices, underscoring the urgency of applying security updates.
Furthermore, Horizon3’s Attack Team also disclosed a critical flaw in Fortinet’s FortiClient Enterprise Management Server (EMS) software, which is actively exploited in attacks. Fortinet vulnerabilities are frequently exploited in ransomware and cyber espionage attacks targeting corporate and government networks. For instance, Chinese hackers utilized FortiOS SSL VPN flaws to deploy the Coathanger remote access trojan (RAT), highlighting the importance of proactive security measures in safeguarding against such threats.
