The cybersecurity firm Fortinet has warned of a critical vulnerability in its Fortinet Wireless Manager (FortiWLM) software. The flaw allows remote attackers to take over devices by executing unauthorized code or commands. FortiWLM is a tool used by government agencies, healthcare organizations, educational institutions, and large enterprises to monitor and manage wireless networks.
The vulnerability, tracked as CVE-2023-34990, was discovered by Horizon3 researcher Zach Hanley in May 2023. The issue stems from improper input validation in the ‘/ems/cgi-bin/ezrf_lighttpd.cgi’ endpoint. Attackers can use directory traversal techniques to read sensitive log files containing administrator session IDs.
These IDs can then be used to hijack admin sessions and gain privileged access to devices. “An attacker can construct a request where the imagename parameter contains a path traversal, allowing the attacker to read any log file on the system,” explained Hanley. “The FortiWLM has very verbose logs and logs the session ID of all authenticated users.”
The flaw affects FortiWLM versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4. It was fixed in versions 8.6.6 and 8.5.5, released in September 2023.
However, users were unaware of the risk for several months due to the lack of a CVE ID and security bulletin at the time. Given its deployment in critical environments, FortiWLM can be a valuable target for attackers.
Fortinet addresses severe FortiWLM vulnerability
Compromising it remotely could lead to network-wide disruptions and sensitive data exposure. Fortinet strongly advises FortiWLM admins to apply all available updates as soon as possible. In a related incident, Kaspersky’s Global Emergency Response Team (GERT) identified attackers exploiting a known vulnerability in FortiClient EMS, another Fortinet product.
The vulnerability, CVE-2023-48788, allows SQL injection attacks and affects versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2.
In October 2024, Kaspersky detected suspicious activities on a customer’s Windows server originating from an internal IP address. Investigations revealed the server was exposed with two open ports linked to FortiClient EMS. Attackers used the vulnerability to execute commands and download remote access tools like ScreenConnect and AnyDesk.
They also employed various tools for network enumeration, credential theft, and defense evasion. Kaspersky found that multiple attackers are abusing the same vulnerability with different payloads. The attacks targeted companies across several countries, including Brazil, France, India, and others.
These findings highlight the importance of promptly patching vulnerabilities and monitoring network activities for signs of compromise. Fortinet and Kaspersky continue to track these evolving threats to provide updates and protective measures to their users.