Fortinet has addressed critical vulnerabilities in its Wireless LAN Manager (FortiWLM) that could lead to unauthenticated remote code execution (RCE) and sensitive information disclosure. The patches released address CVE-2023-34990 and CVE-2023-48782, which, when exploited together, can grant attackers unauthorized access. Experts emphasize the urgency for customers to upgrade their systems.
Fortinet patches critical vulnerabilities in Wireless LAN Manager
The identified bug, CVE-2023-34990, has a CVSS score of 9.6 and was first disclosed in March 2023. It is categorized as an “unauthenticated limited file read vulnerability.” Zach Hanley, a security researcher from Horizon3.ai, reported that the vulnerability stems from inadequate input validation on request parameters. This flaw allows attackers to traverse directories and access any log file on the system, potentially revealing sensitive information such as user session IDs. These logs are notably verbose in FortiWLM, increasing the risk when exploited.
The National Vulnerability Database (NVD) describes how this vulnerability can lead to executing unauthorized code via specially crafted web requests. The affected FortiWLM versions include 8.6.0 to 8.6.5, which have been addressed in 8.6.6 and above, and 8.5.0 to 8.5.4, fixed in version 8.5.5 or above. Given Fortinet’s prominence as a target for cyberattacks, the imperative for rapid patching cannot be overstated.
BADBOX botnet infects over 192,000 Android devices worldwide
In addition to CVE-2023-34990, a separate vulnerability, CVE-2023-48782, also plays a critical role in the exploit chain. This authenticated command injection flaw has a CVSS score of 8.8 and was patched in the previous year. Hanley notes that when combined with the unauthenticated vulnerability, an attacker can execute malicious commands with root privileges by injecting commands through a specific endpoint, compromising the system further.
Kaspersky has reported ongoing exploitation of another vulnerability in Fortinet’s FortiClient EMS, specifically CVE-2023-48788, which has a CVSS score of 9.3. This SQL injection vulnerability allows attackers to send specially crafted data packets, enabling them to execute unauthorized code. The cybersecurity firm documented an attack in October 2024 that targeted a Windows server hosting FortiClient EMS. The attack exploited open ports to gain control over the server, leading to the installation of remote desktop software such as AnyDesk and ScreenConnect.
Following the initial breach, attackers reportedly uploaded additional payloads for lateral movement, credential harvesting, and establishing persistence on the compromised system. Tools used in this campaign included malware for password recovery and network scanning, like Mimikatz and netscan.exe. The campaign is noted to have targeted various companies across multiple countries, revealing the global reach and sophistication of these cyber threats.
Kaspersky has observed further attempts to weaponize CVE-2023-48788, including executing PowerShell scripts from compromised servers to gather responses from other vulnerable targets. This effort points to evolving attack methodologies and ongoing risks for organizations using Fortinet products. The initial disclosures by Forescout earlier in the year reported a similar pattern of exploitation involving the same vulnerability to deliver remote access tools.
Organizations using Fortinet’s systems must prioritize upgrading and patching their equipment to mitigate the risks associated with these vulnerabilities. It is still unclear to what extent these vulnerabilities have already been exploited globally, making it essential for administrators to remain vigilant.
Featured image credit: Kerem Gülen/Midjourney
