Fortinet Addresses Unpatched Critical RCE Vector

Share:

NEWS BRIEF

Fortinet has finally patched a critical security vulnerability in its Wireless LAN Manager (FortiWLM) that could allow unauthenticated sensitive information disclosure. And, when chained with another issue, it could lead to remote code execution (RCE), a researcher warned.

The bug (CVE-2023-34990, CVSS 9.6) was first disclosed in March, when it was described as an “unauthenticated limited file read vulnerability” without a CVE.

“This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system,” Horizon3.ai security researcher Zach Hanley, who reported the bug to Fortinet, noted in March. He has confirmed to Dark Reading that the bug patched this week is the same issue.

He added, “Luckily for an attacker, the FortiWLM has very verbose logs — and logs the session ID of all authenticated users. Abusing the above arbitrary log file read, an attacker can now obtain the session ID of a user and login and also abuse authenticated endpoints.”

NIST’s National Vulnerability Database (NVD) has noted that the flaw can also be used to “execute unauthorized code or commands via specially crafted Web requests” — thanks to the access it provides to those authenticated endpoints.

The bug affects FortiWLM versions 8.6.0 through 8.6.5 (fixed in 8.6.6 or above) and versions 8.5.0 through 8.5.4 (fixed in 8.5.5 or above).

Combining Fortinet Vulnerabilities to Achieve RCE

Hanley back in March flagged a potential exploit chain as well: When CVE-2023-34990 is combined with an authenticated command-injection bug that Fortinet patched last year (CVE-2023-48782, CVSS 8.8), it becomes another recipe for RCE.

This second issue allows an attacker who has used CVE-2023-34990 to gain access to an authenticated endpoint to, from there, inject a crafted malicious string in a request to the /ems/cgi-bin/ezrf_switches.cgi endpoint that will be executed with root privileges.

“Combining both the unauthenticated arbitrary log file read and this authenticated command injection, an unauthenticated attacker can obtain remote code execution in the context of root,” Hanley explained. “This endpoint is accessible for both low privilege users and admins.”

Tara Seals

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
3:04 am, Jul 14, 2025
weather icon 19°C
L: 18° | H: 20°
overcast clouds
Humidity: 75 %
Pressure: 1011 mb
Wind: 8 mph ESE
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:59 am
Sunset: 9:12 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
18° | 20°°C 0 mm 0% 18 mph 76 % 1015 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
15° | 20°°C 1 mm 100% 15 mph 78 % 1016 mb 0 mm/h
Wed Jul 16 10:00 pm
weather icon
14° | 27°°C 0.2 mm 20% 14 mph 73 % 1017 mb 0 mm/h
Thu Jul 17 10:00 pm
weather icon
18° | 26°°C 1 mm 100% 8 mph 80 % 1017 mb 0 mm/h
Fri Jul 18 10:00 pm
weather icon
19° | 30°°C 0 mm 0% 12 mph 79 % 1015 mb 0 mm/h
Today 4:00 am
weather icon
17° | 19°°C 0 mm 0% 7 mph 75 % 1011 mb 0 mm/h
Today 7:00 am
weather icon
17° | 19°°C 0 mm 0% 9 mph 76 % 1011 mb 0 mm/h
Today 10:00 am
weather icon
20° | 20°°C 0 mm 0% 11 mph 59 % 1012 mb 0 mm/h
Today 1:00 pm
weather icon
23° | 23°°C 0 mm 0% 15 mph 39 % 1013 mb 0 mm/h
Today 4:00 pm
weather icon
25° | 25°°C 0 mm 0% 18 mph 28 % 1013 mb 0 mm/h
Today 7:00 pm
weather icon
22° | 22°°C 0 mm 0% 15 mph 30 % 1013 mb 0 mm/h
Today 10:00 pm
weather icon
19° | 19°°C 0 mm 0% 9 mph 45 % 1015 mb 0 mm/h
Tomorrow 1:00 am
weather icon
16° | 16°°C 0 mm 0% 8 mph 61 % 1016 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€101,977.44
1.36%
Ethereum(ETH)
€2,546.30
0.86%
XRP(XRP)
€2.45
3.39%
Tether(USDT)
€0.86
0.01%
Solana(SOL)
€139.28
0.82%
USDC(USDC)
€0.86
0.00%
Dogecoin(DOGE)
€0.170623
0.34%
Shiba Inu(SHIB)
€0.000011
1.45%
Pepe(PEPE)
€0.000010
0.30%
Peanut the Squirrel(PNUT)
€0.244556
5.81%
Scroll to Top