Cybersecurity solutions provider Fortinet this week warned that two critical-severity vulnerabilities in FortiSIEM could lead to remote code execution.
The issues, tracked as CVE-2024-23108 and CVE-2024-23109, have a provisional CVSS score of 10, as they can be exploited without authentication.
Each of these bugs is described as “improper neutralization of special elements”, and both appear linked to CVE-2023-34992 (CVSS score of 9.8), which was addressed in October 2023.
Fortinet did not issue a separate advisory for the new flaws, instead merging them into the initial advisory on CVE-2023-34992, which suggests that the three issues might be connected or that they are variations of the same vulnerability.
“Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests,” Fortinet’s advisory reads.
According to a NIST analysis of recent Fortinet vulnerabilities, CVE-2023-34992 is easily exploitable without user interaction, with high impact on availability, confidentiality, and integrity. The newly identified security holes are likely no different.
Fortinet’s advisory reveals that the bugs impact FortiSIEM versions 7.1.x, 7.0.x, 6.7.x, 6.6.x, 6.5.x, and 6.4.x. Patches were included in FortiSIEM version 7.1.2, while security updates for the remaining vulnerable iterations are pending.
On Tuesday, CERT-EU issued an alert (PDF) on CVE-2024-23108 and CVE-2024-23109, urging FortiSIEM users to update to a patched version as soon as possible.
While Fortinet makes no mention of any of these vulnerabilities being exploited in the wild, security defects in the company’s products are known to have been targeted in malicious attacks.
In November 2023, Fortinet announced patches for another variant of CVE-2023-34992. Discovered internally, the security defect is tracked as CVE-2023-36553 and has a CVSS score of 9.3.
Related: Fortinet Patches High-Severity Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products
Related: US Aeronautical Organization Hacked via Zoho, Fortinet Vulnerabilities
Related: Fortinet Patches Critical FortiOS Vulnerability Leading to Remote Code Execution