Exploits Target Critical FortiGate Bug

Attackers are targeting a known vulnerability in Fortinet’s widely deployed FortiGate security appliances, and researchers say there are still more than 87,000 vulnerable instances online more than eight months after it was initially disclosed publicly. 

CVE Involved: CVE-2024-23113

Why It Matters: Fortinet disclosed this vulnerability in February and it affects all of the currently maintained versions of the company’s FortiOS software, as well as some versions of the FortiPAM, FortiProxy, and FortiWeb. Last week, CISA added the bug to its Known Exploited Vulnerabilities catalog and researchers reported seeing active exploitation in the wild. The vulnerability is critical and sits in the software that runs a highly privileged edge security appliance, so yeah. 

Key Details:

• CVE-2024-23113 is a format string vulnerability that can allow remote code execution without authentication

• Researchers have published details about the exploitation scenarios and how the attack patch works

• The Shadowserver Foundation has identified more than 87,000 Fortinet devices that are still vulnerable to this flaw

Mitigations: Fortinet released an update to fix the vulnerability in February. But patching edge security devices isn’t a trivial process, so for organizations that haven’t or can’t deploy the patch, the company suggests removing the FortiGate FortiManager daemon from the vulnerable appliance, which will reduce the attack surface but not completely eliminate the bug. 

Further Reading:

• Fortinet advisory

• watchTowr Labs analysis of the flaw

• Shadowserver statistics