🗓️ Sign up for the 2025 runZero Hour webcast series and never miss a new episode! Register Now

On This Page:

  1. Latest Fortinet vulnerabilities (CVE-2024-55591, CVE-2023-37936)
  2. December 2024
  3. October 2024
  4. March 2024
  5. CVE-2024-21762 (February 2024)
  6. CVE-2022-40684 (October 2022)

How to find Fortinet assets on your network

Rob King
runZero Team
|
Updated

Latest Fortinet vulnerabilities (CVE-2024-55591, CVE-2023-37936) #

Fortinet issued an advisory for a vulnerability affecting their FortiOS and FortiProxy products that is actively being exploited in the wild.

  • CVE-2024-55591 detailed in FG-IR-24-535 is rated critical with a CVSS score of 9.6 and may allow unauthenticated attacker to gain administrator privileges.

Fortinet also issued an advisory for their FortiSwitch product.

  • CVE-2023-37936 detailed in FG-IR-23-260 is rated critical with a CVSS score of 9.6 and may allow unauthenticated attacker to execute arbitrary code.

What is the impact? #

For affected versions of FortiOS and FortiProxy vulnerable to CVE-2024-55591, a remote attacker may gain administrator privileges bypassing authentication. Fortinet included IoCs within the advisory.

Due to the use of a hard-coded cryptographic key in vulnerable versions of the FortiSwitch product, an unauthenticated attacker with the key could remotely perform arbitrary code execution. 

Are updates or workarounds available? #

In addition to disabling, or restricting access to the HTTP/HTTP administrative interface, Fortinet recommends upgrading the following versions of affected products:

CVE-2024-55591

  • FortiOS 7.0.0 through 7.0.16 to be upgraded to 7.0.17 or later
  • FortiProxy 7.2.0 through 7.2.12 to be upgraded to 7.2.13 or later
  • FortiProxy 7.0.0 through 7.0.19 to be upgraded to 7.0.20 or later

CVE-2023-37936

  • FortiSwitch 7.4.0  to be upgraded to 7.4.1 or later
  • FortiSwitch 7.2.0 through 7.2.5 to be upgrade to 7.2.6 or later
  • FortiSwitch 7.0.0 through 7.0.7 to be upgraded to 7.0.8 or later 
  • FortiSwitch 6.4.0 through 6.4.13 to be upgraded to 6.4.14 or later
  • FortiSwitch 6.2.0 through 6.2.7 to be upgraded to 6.2.8 or later
  • FortiSwicth 6.0.0 through 6.0.7 should be migrated to a fixed release

How to find potentially vulnerable systems with runZero #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

os:"FortiOS" OR hw:"FortiSwitch" OR hw:"FortiProxy"

December 2024 #

Fortinet issued advisories for their FortiWLM product.

  • CVE-2023-34990 detailed in FG-IR-23-144 was rated critical with a CVSS score of 9.6 and may have allowed an unauthenticated attacker to read sensitive files.

What was the impact? #

An unauthenticated attacker may have been able to manipulate paths through the FortiWLM application and perform a path traversal in order to gain access to sensitive files outside the application root directory on the host machine.

Are updates or workarounds available? #

Fortinet recommended upgrading the following versions:

  • FortiWLM 8.6.0 through 8.6.5 to be upgraded to 8.6.6 or above
  • FortiWLM 8.5.0 through 8.5.4 to be upgrade to 8.5.5 or above

How to find potentially vulnerable systems with runZero #

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

html.title:FortiWLM

October 2024 #

Fortinet issued advisories for its FortiAnalyzer, FortiAnalyzer-BigData, FortiManager, and FortiOS products.

  • CVE-2023-50176 detailed in FG-IR-23-475 was rated high with a CVSS score of 7.1, and may have allowed an unauthenticated attacker to hijack a user session.
  • CVE-2024-23666 detailed in FG-IR-23-396 was rated high with a CVSS score of 7.1 and may have allowed an authenticated, read-only user the ability to execute "sensitive operations".

What was the impact? #

CVE-2024-23666, which affected FortiAnalyzer and FortiManager products, required that an attacker (or malicious user) was authenticated against the system. A read-only user could potentially execute sensitive operations through crafted requests, bypassing client-side enforcement through the web interface. CVE-2023-50176, which affected the SSLVPN component of FortiOS, was a session fixation vulnerability that allowed an unauthenticated attacker the ability to hijack an authenticated user's session via a "phishing SAML authentication link".

Are updates or workarounds available? #

The vendor released patches for all affected products. They recommended following the upgrade path using their upgrade tool.

How to find potentially vulnerable systems with runZero #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:FortiManager OR hw:FortiAnalyzer OR os:FortiOS

March 2024 #

On March 12th, 2024, Fortinet disclosed several vulnerabilities in their FortiOS, FortiProxy, and FortiClient products:

  • FG-IR-23-328 – a buffer overflow vulnerability in the handling of form-based authentication in the FortiOS and FortiProxy captive portals, allowing remote, unauthenticated attackers to execute arbitrary code. This vulnerability has been assigned CVEs CVE-2023-42789 and CVE-2023-42790. These vulnerabilities have a CVSS score of 9.3, indicating that they are critical.

  • FG-IR-24-007 – a SQL injection vulnerability in the FortiClient Enterprise Management Server. This vulnerability has been designated CVE-2023-48788, and has been given a CVSS score of 9.8 (critical).

  • FG-IR-23-390 – a log injection vulnerability in the FortiClient Enterprise Management Server. This vulnerability has been assigned CVE-2023-47534 and a CVSS score of 7.7 (high).

  • FG-IR-23-103 – a remote code execution vulnerability in the FortiManager product. This vulnerability has been designated CVE-2023-36554 with a CVSS score of 7.7 (high). Note that the vulnerable subsystem is not installed by default.

  • FG-IR-23-013 – an information disclosure vulnerability in the FortiGuard SSL-VPN product. This vulnerability has been designated CVE-2024-23112 and given a CVSS score of 7.2 (high).

Upon successful exploitation of these vulnerabilities, attackers could execute arbitrary code on the vulnerable system or disclose privileged information. Fortinet released updates to mitigate this issue and all users were urged to update immediately.

How to find FortiOS, FortiProxy or FortiClient operating systems #

From the Asset Inventory, use the following query to locate assets running the FortiOS or FortiProxy operating systems, which may be vulnerable:

os:"FortiOS" OR os:"FortiProxy"

Additionally, from the Services Inventory, use the following query to locate potentially vulnerable systems:

html.title:="FortiClient Endpoint Management Server"

CVE-2024-21762 (February 2024) #

On February 8th, 2024, Fortinet disclosed a serious vulnerability in their FortiOS operating system, used by multiple Fortinet products.

The issue, CVE-2024-21762, allowed attackers to execute arbitrary code on vulnerable devices. The vendor has indicated that this is a critical vulnerability. The vendor reports that there are indications that this vulnerability may be actively exploited in the wild. Upon successful exploitation of these vulnerabilities, attackers could execute arbitrary code on the vulnerable system.

Fortinet released an update to mitigate this issue and all users were urged to update immediately. Additionally, the vendor indicated that disabling the SSL-VPN functionality of the device would mitigate the issue.

How to find FortiOS devices #

From the Asset Inventory, use the following query to locate assets running the FortiOS operating system which may potentially be vulnerable:

os:"FortiOS" AND tcp:443

CVE-2022-40684 (October 2022) #

News surfaced in October 2022 of a critical authentication bypass vulnerability present in the web administration interface of some Fortinet products. Successful exploitation of this vulnerability (tracked as CVE-2022-40684) via crafted HTTP and HTTPS requests could provide remote attackers with admin-level command execution on vulnerable FortiOS devices including FortiGate firewalls, FortiProxy web proxies, and FortiSwitchManager assets.

With a CVSS critical score of 9.6, attackers running admin-level commands on compromised assets may have had the ability to persist presence, explore connected internal networks, and exfiltrate data. At the time Fortinet was aware of at least one exploit of this vulnerability in the wild, and Bleeping Computer offered a Shodan search showing more than 140k publicly accessible FortiGate devices potentially running vulnerable FortiOS. Additionally, security researchers with Horizon3.ai planned on publishing an exploit PoC. For admins wanting to check if a FortiOS/FortiProxy/FortiSwitchManager asset had been exploited, Fortinet provides an indicator of compromise (see the “Exploitation Status” section).

Fortinet called out the vulnerable FortiOS, FortiProxy, and FortiSwitchManager versions in their advisory and had made updates available for affected products. Admins were advised to ensure that affected models were updated to the latest version as soon as possible. If updates could not be completed in the near term, Fortinet provided some mitigation steps (see the “Workaround” section) that could be taken to secure vulnerable assets.

How to find FortiOS, FortiProxy, and FortiSwitchManager assets #

From the Asset Inventory, runZero users entered the following pre-built query to locate FortiOS, FortiProxy, and FortiSwitchManager assets:

os:FortiOS or product:FortiProxy or product:FortiSwitchManager
The prebuilt query is available in the Queries Library

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King

Written by runZero Team

Due to the nature of their research and out of respect for their privacy, runZero team members prefer to remain anonymous. Their work is published under the runZero name.

More about runZero Team
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more

Webcasts
The Unreasonable Effectiveness of Inside Out Attack Surface Management
HD Moore, founder of runZero (and previously Metasploit), presents new research that will forever redefine how you approach attack surface...
Watch Now
Webcasts
Safeguarding OT/ICS Assets: Insights from the U.S. Department of Energy
Security experts from the National Renewable Energy Lab’s (NREL) Clean Energy Cybersecurity Accelerator™ (CECA) program join runZero to discuss...
Watch Now
runZero Insights
Ensure compliance with DORA’s ICT risk framework using runZero
Learn how to uncover unmanaged and unknown assets— including IT, OT, and IoT— to meet DORA's hidden risk requirements using runZero.
Read More
Talks
DEF CON 32: SSHamble: Unexpected Exposures in SSH (Video)
This talk digs deep into SSH, the lesser-known implementations, many of the surprising security issues found along the way, and how to exploit them.
Watch Now

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

Try It Free
icon-bluesky
© Copyright 2025 runZero, Inc. All Rights Reserved