CISA says critical Fortinet RCE flaw now exploited in attacks

​Today, CISA revealed that attackers actively exploit a critical FortiOS remote code execution (RCE) vulnerability in the wild.

The flaw (CVE-2024-23113) is caused by the fgfmd daemon accepting an externally controlled format string as an argument, which can let unauthenticated threat actors execute commands or arbitrary code on unpatched devices in low-complexity attacks that don’t require user interaction.

As Fortinet explains, the vulnerable fgfmd daemon runs on FortiGate and FortiManager, handling all authentication requests and managing keep-alive messages between them (as well as all resulting actions like instructing other processes to update files or databases).

CVE-2024-23113 impacts FortiOS 7.0 and later, FortiPAM 1.0 and higher, FortiProxy 7.0 and above, and FortiWeb 7.4.

The company disclosed and patched this security flaw in February when it advised admins to remove access to the fgfmd damon for all interfaces as a mitigation measure designed to block potential attacks.

“Note that this will prevent FortiGate discovery from FortiManager. Connection will still be possible from FortiGate,” Fortinet said.

“Please also note that a local-in policy that only allows FGFM connections from a specific IP will reduce the attack surface but it won’t prevent the vulnerability from being exploited from this IP. As a consequence, this should be used as a mitigation and not as a complete workaround.”

Federal agencies ordered to patch within three weeks

While Fortinet has yet to update its February advisory to confirm CVE-2024-23113 exploitation, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog on Wednesday.

U.S. federal agencies are now also required to secure FortiOS devices on their networks against these ongoing attacks within three weeks, by October 30, as required by the binding operational directive (BOD 22-01) issued in November 2021.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the cybersecurity agency warned.

The Dutch Military Intelligence and Security Service (MIVD) warned in June that Chinese hackers exploited another critical FortiOS RCE vulnerability (CVE-2022-42475) between 2022 and 2023 to breach and infect at least 20,000 Fortigate network security appliances with malware.