Fortinet has released patches for multiple vulnerabilities in FortiOS and other products, including some code execution flaws.
The most important is a multiple stack-based buffer overflow vulnerabilities in the command line interpreter of FortiOS [CWE-121], tracked as CVE-2024-23110, can be exploited by an authenticated attacker to achieve code or command execution via specially crafted command line arguments
Advertisements
Fortinet also addressed the following medium-severity issues:
- CVE-2024-26010 – A stack-based overflow vulnerability [CWE-124] in FortiOS, FortiProxy, FortiPAM, FortiSwitchManager could allow a remote attacker to execute arbitrary code or commands by sending crafted packets to the fgfmd daemon. The exploitability of this vulnerability depends on specific conditions that are not controllable by the attacker.
- CVE-2024-23111 – A cross-site scripting vulnerability [CWE-79] in the reboot page of FortiOS and FortiProxy could enable a remote attacker with super-admin access to execute JavaScript code through specially crafted HTTP GET requests.
- CVE-2023-46720 – Multiple stack-based buffer overflow vulnerabilities [CWE-121] in FortiOS could permit an authenticated attacker to execute arbitrary code by using specially crafted CLI commands.
Fortinet did not reveal if one of the above issues was actively exploited in the wild.
