WARNING: CRITICAL UNAUTHENTICATED RCE IN FORTINET FORTIWLM, PATCH IMMEDIATELY

Reference:
Advisory #2024-295

Version:
1.0

Affected software:
FortiWLM 8.5 (8.5.0 through 8.5.4)
FortiWLM 8.6 (8.6.0 through 8.6.5)

Type:
Remote code execution

CVE/CVSS:
CVE-2024-49194: CVSS 7.3 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Sources

https://www.fortiguard.com/psirt/FG-IR-23-144

Risks

An unauthenticated attacker might gain access to sensitive files through a path traversal vulnerability, potentially leading to execution of unauthorized code or commands. This CVE has a high impact on all vertices of the CIA triad.

Description

An unauthenticated remote attacker can exploit a path traversal vulnerability to read sensitive log files and obtain user session IDs through the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint. The session IDs remain the same between user sessions, allowing attackers to hijack them and gain administrative access. 

An attacker could use additional exploits to gain remote code execution with root privileges such as CVE-2023-48782 if the system has not received any updates.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

• FortiWLM 8.6: Upgrade to 8.6.6 or above 
• FortiWLM 8.5: Upgrade to 8.5.5 or above 

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/nl/cert/een-incident-melden.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://thehackernews.com/2024/12/fortinet-warns-of-critical-fortiwlm.html