CISA says critical Fortinet RCE flaw now exploited in attacks
Today, CISA revealed that attackers actively exploit a critical FortiOS remote code execution (RCE) vulnerability in the wild.
The flaw (CVE-2024-23113) is caused by the fgfmd daemon accepting an externally controlled format string as an argument, which can let unauthenticated threat actors execute commands or arbitrary code on unpatched devices in low-complexity attacks that don't require user interaction.
As Fortinet explains, the vulnerable fgfmd daemon runs on FortiGate and FortiManager, handling all authentication requests and managing keep-alive messages between them (as well as all resulting actions like instructing other processes to update files or databases).
CVE-2024-23113 impacts FortiOS 7.0 and later, FortiPAM 1.0 and higher, FortiProxy 7.0 and above, and FortiWeb 7.4.
The company disclosed and patched this security flaw in February when it advised admins to remove access to the fgfmd damon for all interfaces as a mitigation measure designed to block potential attacks.
"Note that this will prevent FortiGate discovery from FortiManager. Connection will still be possible from FortiGate," Fortinet said.
"Please also note that a local-in policy that only allows FGFM connections from a specific IP will reduce the attack surface but it won't prevent the vulnerability from being exploited from this IP. As a consequence, this should be used as a mitigation and not as a complete workaround."
Federal agencies ordered to patch within three weeks
While Fortinet has yet to update its February advisory to confirm CVE-2024-23113 exploitation, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog on Wednesday.
U.S. federal agencies are now also required to secure FortiOS devices on their networks against these ongoing attacks within three weeks, by October 30, as required by the binding operational directive (BOD 22-01) issued in November 2021.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the cybersecurity agency warned.
The Dutch Military Intelligence and Security Service (MIVD) warned in June that Chinese hackers exploited another critical FortiOS RCE vulnerability (CVE-2022-42475) between 2022 and 2023 to breach and infect at least 20,000 Fortigate network security appliances with malware.
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
Free online web security scanner