Fortinet has warned that two critical-severity vulnerabilities in FortiSIEM could lead to remote code execution.
The issues, tracked as CVE-2024-23108 and CVE-2024-23109 both has a CVSS score of 10, as they can be exploited without authentication.
Each of these bugs is described as “improper neutralization of special elements”, and both appear linked to CVE-2023-34992 (CVSS score of 9.8), which was addressed in October 2023.
Fortinet has merged both the flaws into the initial advisory on CVE-2023-34992, which suggests that the three issues might be connected or that they are variations of the same vulnerability.
As per NIST, the CVE-2023-34992 is easily exploitable without user interaction, with a high impact on availability, confidentiality, and integrity. The newly identified security holes are likely no different.
Fortinet’s advisory reveals that the bugs impact FortiSIEM versions 7.1.x, 7.0.x, 6.7.x, 6.6.x, 6.5.x, and 6.4.x. Patches were included in FortiSIEM version 7.1.2, while security updates for the remaining vulnerable iterations are pending.
Fortinet makes no mention of any of these vulnerabilities being exploited in the wild.
