WARNING: CRITICAL UNAUTHENTICATED RCE IN FORTINET FORTIWLM, PATCH IMMEDIATELY
CVE-2024-49194: CVSS 7.3 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Sources
https://www.fortiguard.com/psirt/FG-IR-23-144
Risques
An unauthenticated attacker might gain access to sensitive files through a path traversal vulnerability, potentially leading to execution of unauthorized code or commands. This CVE has a high impact on all vertices of the CIA triad.
Description
An unauthenticated remote attacker can exploit a path traversal vulnerability to read sensitive log files and obtain user session IDs through the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint. The session IDs remain the same between user sessions, allowing attackers to hijack them and gain administrative access.
An attacker could use additional exploits to gain remote code execution with root privileges such as CVE-2023-48782 if the system has not received any updates.
Actions recommandées
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
- FortiWLM 8.6: Upgrade to 8.6.6 or above
- FortiWLM 8.5: Upgrade to 8.5.5 or above
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/nl/cert/een-incident-melden.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Références
https://thehackernews.com/2024/12/fortinet-warns-of-critical-fortiwlm.html