Fortinet has released patches for critical security vulnerabilities affecting its Wireless LAN Manager (FortiWLM) and FortiManager products. The most severe flaw, CVE-2023-34990, received a critical CVSS score of 9.6.
Key Vulnerabilities:
1. FortiWLM (CVE-2023-34990):
– Allows unauthorized access to sensitive files through path traversal
– Affects versions 8.6.0-8.6.5 and 8.5.0-8.5.4
– Can lead to unauthorized code execution
– Enables attackers to steal session IDs and gain administrative access
2. FortiWLM (CVE-2023-48782):
– Authenticated command injection vulnerability
– CVSS score: 8.8
– When combined with CVE-2023-34990, enables root-level remote code execution
3. FortiManager (CVE-2024-48889):
– Command injection vulnerability
– CVSS score: 7.2
– Affects multiple versions across 6.4, 7.0, 7.2, 7.4, and 7.6 series
– Impacts specific hardware models when “fmg-status” is enabled
Patched Versions:
– FortiWLM: Version 8.6.6 or 8.5.5 and above
– FortiManager: Various fixed versions available for different release branches
Given the increasing targeting of Fortinet devices by threat actors, users are strongly advised to update their systems to the latest patched versions immediately.