Overview of the Vulnerability (CVE-2024-23113)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding an actively exploited remote code execution (RCE) vulnerability affecting FortiOS devices. Identified as CVE-2024-23113, this flaw allows unauthenticated attackers to execute arbitrary code or commands on compromised systems, making it a severe security risk for enterprises and government networks alike.

Technical Details

The vulnerability resides in the fgfmd daemon of Fortinet’s FortiGate and FortiManager devices. The issue stems from the daemon accepting an externally controlled format string as an argument, which can be manipulated by threat actors to execute arbitrary commands or code without any user interaction. The flaw is categorized as low-complexity, meaning that attackers require minimal technical skill to exploit the issue.

The fgfmd daemon is a core component that handles authentication requests and manages keep-alive messages between FortiGate and FortiManager. This service also executes various system tasks, such as instructing other processes to update files or databases, making it a critical point of attack for malicious actors.

Exploitation and Impact

Although Fortinet released a patch for this vulnerability in February 2024, CISA’s alert highlights that attackers are now actively targeting unpatched systems in the wild. The flaw has been added to CISA’s Known Exploited Vulnerabilities Catalog, mandating that all U.S. federal agencies secure their systems against this vulnerability within a three-week timeframe, no later than October 30, 2024.

Exploit Requirements:

  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Not required

Affected Products:

  1. FortiGate Firewalls (FortiOS versions 7.4.0 to 7.4.2, 7.2.0 to 7.2.6, and 7.0.0 to 7.0.13)
  2. FortiManager (same affected versions as above)
  3. FortiProxy and FortiWeb devices running specific versions.

For a comprehensive list of affected versions and recommended upgrade paths, see the table below:

ProductVersion AffectedSolution
FortiOS 7.47.4.0 through 7.4.2Upgrade to 7.4.3 or above
FortiOS 7.27.2.0 through 7.2.6Upgrade to 7.2.7 or above
FortiOS 7.07.0.0 through 7.0.13Upgrade to 7.0.14 or above
FortiProxy7.4.0 through 7.4.2, 7.2.0 to 7.2.8Upgrade to 7.4.3 or above
FortiWeb7.4.0 through 7.4.2Upgrade to 7.4.3 or above
FortiPAMVarious legacy versionsMigrate to a fixed release

Mitigation and Recommended Actions

Fortinet released patches and a mitigation advisory in February 2024. However, due to the critical nature of this flaw, organizations are strongly advised to apply the patches immediately. In addition, administrators can implement the following workaround to reduce exposure:

Remove fgfm access on each interface:Modify the interface configuration to restrict fgfm access:

config system interface
edit “portX”
set allowaccess ping https ssh
next
end

  1. This change will prevent FortiGate discovery from FortiManager, but connections will still be possible from FortiGate.
  2. Implement Local-in Policy Restrictions: Creating a policy to allow FGFM connections only from specific IPs can further minimize the attack surface, although it will not entirely eliminate the risk. As Fortinet emphasizes, this should be considered a mitigation—not a complete fix.

Response and Next Steps for Federal Agencies

Following CISA’s directive, U.S. federal agencies must secure their systems against CVE-2024-23113 within the next three weeks. The directive is part of the Binding Operational Directive (BOD 22-01), which mandates timely remediation of known exploited vulnerabilities across all federal entities.

Fortinet’s Response

Fortinet has acknowledged the critical nature of this vulnerability and has recommended immediate upgrades to the latest FortiOS versions. Organizations that cannot upgrade immediately are advised to follow the mitigations outlined above and closely monitor network traffic for any signs of abnormal activity.

Broader Implications:

This recent RCE flaw is not the first instance of FortiOS devices being targeted by sophisticated threat actors. In June 2024, the Dutch Military Intelligence and Security Service (MIVD) revealed that Chinese hackers exploited a separate FortiOS RCE vulnerability (CVE-2022-42475) to breach over 20,000 FortiGate appliances globally. These breaches resulted in widespread deployment of malware, making FortiOS devices a prime target for cyber espionage campaigns.

Conclusion

The CVE-2024-23113 vulnerability in Fortinet devices highlights the ongoing challenges of securing complex, enterprise-grade security infrastructure. Given the active exploitation, organizations must act swiftly to patch affected systems, review existing configurations, and implement best practices to minimize exposure.

For a detailed upgrade guide, visit the official Fortinet Support Page.

By maintaining a proactive patch management strategy and leveraging Fortinet’s guidance, organizations can protect their networks against emerging threats and ensure the continued integrity of their security systems.