Fortinet Users Warned of Ongoing RCE Vulnerability

Fortinet Users Warned of Ongoing RCE Vulnerability

The recently exploited vulnerability in Fortinet's FortiOS, identified as CVE-2024-23113, is a critical remote code execution (RCE) flaw. This vulnerability is caused by an issue in the fgfmd daemon, which manages authentication requests and keep-alive messages between FortiGate and FortiManager. Specifically, it involves the daemon accepting an externally controlled format string as an argument, which can allow attackers to execute arbitrary commands or code on the affected devices.

How the Attack Works:

The exploitation of CVE-2024-23113 is relatively straightforward, as it does not require user interaction or high-complexity techniques. Attackers can craft specific requests that leverage the vulnerable format string handling in the fgfmd daemon to gain unauthorized access to execute code remotely on unpatched devices. This type of attack is particularly dangerous because it allows threat actors to gain a foothold in the system with minimal barriers.

Impacted Fortinet Versions:

The following Fortinet products and versions are affected by the CVE-2024-23113 vulnerability:

  • FortiOS 7.0 and later
  • FortiPAM 1.0 and higher
  • FortiProxy 7.0 and above
  • FortiWeb 7.4

Required Versions for Patching:

Fortinet released patches to address this vulnerability in the following versions:

  • FortiOS 7.4.3, 7.2.7, and 7.0.14
  • Administrators are advised to upgrade to these versions or later to mitigate the risk of exploitation.

Mitigation Recommendations:

Fortinet has advised organizations to take the following actions to reduce their attack surface:

  1. Remove access to the fgfmd daemon for all interfaces as a precautionary measure, which helps to prevent potential attacks.
  2. Implement a local-in policy that restricts FGFM connections to specific IP addresses, although this should only be seen as a temporary mitigation step.

CISA has also included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, urging all affected organizations to apply the patches by October 30, 2024, to prevent further exploitation risks​(

For more detailed information on this vulnerability and related mitigation strategies, you can visit Fortinet's advisory, BleepingComputer, or TheHackerNews