Exploit for Fortinet Critical RCE Bug Allows SIEM Root Access

Corporate admins should patch the max-severity CVE-2024-23108 immediately, which allows unauthenticated command injection.

Dark Reading Staff, Dark Reading

May 29, 2024

1 Min Read
A bunch of blocks, one red with an image of a bug on it
Source: Andrii Yalanskyi via Shutterstock

A proof-of-concept exploit (PoC) for a critical vulnerability in Fortinet's FortiSIEM product has emerged, paving the way for broad exploitation.

The vulnerability, tracked under CVE-2024-23108, was disclosed and patched in February, along with a related bug, CVE-2024-23109. Both carry max-severity scores of 10 on the CVSS scale, and are unauthenticated command injection flaws that could potentially let threat actors use crafted API requests for remote code execution (RCE).

According to researchers at Horizon3AI, the exploit, which they dubbed "NodeZero," allows users to "blindly execute commands as root on vulnerable FortiSIEM appliances." In their PoC, they used the exploit to load a remote-access tool for post-exploitation activities.

FortiSIEM is Fortinet's security information and event management (SIEM) platform, used for enabling enterprise cybersecurity operations centers. As such, a compromise could offer a significant beachhead for launching further incursions into corporate environments.

FortiSIEM versions impacted by the flaws include version 7.1.0 through 7.1.1; 7.0.0 through 7.0.2; 6.7.0 through 6.7.8; 6.6.0 through 6.6.3; 6.5.0 through 6.5.2; and 6.4.0 through 6.4.2. Users should patch immediately to avoid compromise.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights