Urgent Security Alert: Patch Critical FortiSIEM RCE Flaw (CVE-2024-23108) Now
Cybersecurity teams and system administrators are on high alert following the disclosure of a critical vulnerability in Fortinet’s FortiSIEM platform. The flaw, identified as CVE-2024-23108, is a remote code execution (RCE) vulnerability that is confirmed to be under active exploitation by malicious actors.
Given the severity and the active threat, immediate patching is essential to protect enterprise networks from compromise.
Understanding the Threat: CVE-2024-23108
At its core, CVE-2024-23108 is a command injection vulnerability located in the datastore API of the FortiSIEM solution. This flaw has been assigned a critical severity rating with a CVSS score of 9.8 out of 10, highlighting its extreme danger.
The vulnerability allows an unauthenticated, remote attacker to execute arbitrary commands on a targeted system with root privileges. This means an attacker does not need any login credentials to exploit the flaw, making it a particularly dangerous entry point into a corporate network. Successful exploitation grants the attacker complete control over the affected FortiSIEM appliance.
A Troubling Pattern: Bypassing a Previous Patch
What makes this situation particularly concerning is that CVE-2024-23108 is essentially a bypass for a previously patched vulnerability, CVE-2023-34992. The earlier flaw, also a critical RCE with a 9.8 CVSS score, was addressed by Fortinet in October 2023.
However, security researchers discovered that the initial patch was incomplete. Attackers have since adapted their methods to circumvent the fix, leading to this new, actively exploited vulnerability. This pattern underscores the persistence of threat actors and the critical need for comprehensive and robust security patches.
Which FortiSIEM Versions Are Affected?
A wide range of FortiSIEM versions are vulnerable to this attack. If your organization uses any of the following versions, your systems are at risk and require immediate attention:
- FortiSIEM versions 7.1.0 through 7.1.1
- FortiSIEM versions 7.0.0 through 7.0.2
- FortiSIEM versions 6.7.0 through 6.7.8
- FortiSIEM versions 6.6.0 through 6.6.3
- FortiSIEM versions 6.5.0 through 6.5.2
- FortiSIEM versions 6.4.0 through 6.4.2
Your Immediate Action Plan: How to Protect Your Systems
The only effective defense against this active threat is to apply the security patches provided by Fortinet immediately. There are no known workarounds that can mitigate the risk.
Administrators should upgrade their FortiSIEM instances to the following patched versions or a later release:
- For versions 7.1.x, upgrade to 7.1.2 or above.
- For versions 7.0.x, upgrade to 7.0.3 or above.
- For versions 6.7.x, upgrade to 6.7.9 or above.
Fortinet has also released specific patched versions for older product lines, so it is crucial to check the official advisories for your specific deployment.
Why This Vulnerability is So Dangerous
A successful RCE attack is one of the most severe security breaches possible. By gaining root-level access through CVE-2024-23108, an attacker can:
- Steal sensitive data collected and processed by the FortiSIEM platform.
- Install malware, including ransomware, spyware, or crypto-miners.
- Disable security monitoring to conduct further attacks undetected.
- Use the compromised system as a pivot point to move laterally across your internal network.
In the face of an actively exploited, critical-rated vulnerability, swift action is not just recommended—it is essential for maintaining the security and integrity of your network infrastructure. Prioritize patching your FortiSIEM deployments today.
Source: https://www.bleepingcomputer.com/news/security/fortinet-warns-of-fortisiem-pre-auth-rce-flaw-with-exploit-in-the-wild/
