Fortinet, a world chief in cybersecurity options, has issued an pressing safety advisory addressing two essential vulnerabilities affecting its FortiManager and FortiWLM merchandise.
The vulnerabilities, which might permit unauthorized code execution and delicate file learn entry, demand fast consideration to mitigate dangers.
OS Command Injection in FortiManager (CVE-2023-34990)
A essential Improper Neutralization of Particular Parts in OS Instructions (‘OS Command Injection’) vulnerability, CVE-2024-48889, has been recognized in FortiManager.
The flaw permits an authenticated distant attacker to execute unauthorized code by way of specifically crafted FGFM (Fortinet safe communication protocol) requests.
Free Webinar on Finest Practices for API vulnerability & Penetration Testing: Free Registration
This vulnerability has been assigned a CVSSv3 rating of 9.6, underlining its severity.
The vulnerability impacts a variety of FortiManager variations, in addition to sure legacy FortiAnalyzer {hardware} https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDUX5bURfgOZt1DIcuaR8FOlxLFaAyMnCtK1VbENJrGpolRv0zU_URF6eXvYLZM4HMXan7xEK1bAZxdLxScmvz8oj44IyicmeM3pnmN0Zdez94ryP-Ve9fQbbg1ir6Rcj3r5fVgW600aAgogFPXPcvdzW8uShWZNuBMG8KpKRXjWzKXks5xkWaEQ_NwWRa/s1600/fortinet-1.webpmodels with particular configurations enabled. Fortinet strongly recommends that customers apply the patches promptly to guard their methods.
Affected Variations and Options: FortiManager
| Model | Affected Builds | Resolution |
| FortiManager 7.6 | 7.6.0 | Improve to 7.6.1 or above |
| FortiManager 7.4 | 7.4.0 by means of 7.4.4 | Improve to 7.4.5 or above |
| FortiManager 7.4 Cloud | 7.4.1 by means of 7.4.4 | Improve to 7.4.5 or above |
| FortiManager 7.2 | 7.2.3 by means of 7.2.7 | Improve to 7.2.8 or above |
| FortiManager 7.2 Cloud | 7.2.1 by means of 7.2.7 | Improve to 7.2.8 or above |
| FortiManager 7.0 | 7.0.5 by means of 7.0.12 | Improve to 7.0.13 or above |
| FortiManager 7.0 Cloud | 7.0.1 by means of 7.0.12 | Improve to 7.0.13 or above |
| FortiManager 6.4 | 6.4.10 by means of 6.4.14 | Improve to six.4.15 or above |
Legacy FortiAnalyzer fashions reminiscent of 1000E, 3000F, and 3700G are additionally impacted if configured with the next settings:
config system international
set fmg-status allow
finishRestricted File Learn in FortiWLM (CVE-2023-34990)
An Unauthenticated Restricted File Learn vulnerability, CVE-2023-34990, has been found in Fortinet’s FortiWLM (Wi-fi Supervisor).
The flaw permits unauthenticated distant attackers to retrieve delicate information by way of relative path traversal. This poses dangers of knowledge leakage and potential breaches of delicate info.
Fortinet has acknowledged researcher Zach Hanley (@hacks_zach) of Horizon3.ai for responsibly disclosing this concern.
Affected Variations and Options: FortiWLM
| Model | Affected Builds | Resolution |
| FortiWLM 8.6 | 8.6.0 by means of 8.6.5 | Improve to eight.6.6 or above |
| FortiWLM 8.5 | 8.5.0 by means of 8.5.4 | Improve to eight.5.5 or above |
Fortinet clients are strongly suggested to improve their affected merchandise as quickly as attainable to mitigate the dangers related to these vulnerabilities. The patches can be found by way of Fortinet’s official web site or assist portal.
Fortinet expressed gratitude to the cybersecurity neighborhood for his or her contributions towards holding methods safe, particularly recognizing Zach Hanley of Horizon3.ai for locating and reporting the FortiWLM vulnerability responsibly.
Examine Actual-World Malicious Hyperlinks, Malware & Phishing Assaults With ANY.RUN – Strive for Free