Fortinet RCE bug is actively exploited, CISA confirms


CISA confirmed that attackers are actively exploiting a critical remote code execution (RCE) bug patched by Fortinet on Thursday.

Admins who can’t immediately deploy security updates to patch vulnerable appliances can remove the attack vector by disabling SSL VPN on the device.

CISA’s announcement comes one day after Fortinet published a security advisory saying the flaw was “potentially being exploited in the wild.”

Fortinet patched two other critical RCE vulnerabilities (CVE-2024-23108 and CVE-2024-23109) in its FortiSIEM solution this week.

Initially, the company denied that the CVEs were real and claimed they were duplicates of a similar flaw (CVE-2023-34992) fixed in October.

However, Fortinet’s disclosure process was very confusing, with the company first denying the CVEs were real and claiming they were mistakenly generated due to an API issue as duplicates of a similar flaw (CVE-2023-34992) fixed in October.

As later revealed, the bugs were discovered and reported by Horizon3 vulnerability expert Zach Hanley, with the company eventually admitting the two CVEs were variants of the original CVE-2023-34992 bug.

Since remote unauthenticated attackers can use these vulnerabilities to execute arbitrary code on vulnerable appliances, it’s strongly advised to secure all Fortinet devices as soon as possible immediately.

Read More…