Fortinet has disclosed a critical vulnerability in Fortinet Wireless Manager (FortiWLM) that allows remote attackers to take over devices by executing unauthorized code or commands through specially crafted web requests.
FortiWLM is a centralized management tool for monitoring, managing, and optimizing wireless networks. It’s used by government agencies, healthcare organizations, educational institutions, and large enterprises.
The flaw, tracked as CVE-2023-34990, is a relative path traversal flaw rated with a score of 9.8.
Horizon3 researcher Zach Hanley discovered and disclosed the vulnerability to Fortinet in May 2023. However, the flaw remained unfixed ten months later, and Hanley decided to disclose information and a POC it on March 14, 2024 in a technical writeup about other Fortinet flaws he discovered.
Stealing Admin session IDs
The issue allows unauthenticated attackers to exploit improper input validation in the ‘/ems/cgi-bin/ezrf_lighttpd.cgi’ endpoint.
By using directory traversal techniques in the ‘imagename’ parameter when the ‘op_type’ is set to ‘upgradelogs,’ attackers can read sensitive log files from the system.
These logs often contain administrator session IDs, which can be used to hijack admin sessions and gain privileged access, allowing threat actors to take over devices.
“Abusing the lack of input validation, an attacker can construct a request where the imagename parameter contains a path traversal, allowing the attacker to read any log file on the system,” explained Hanley.
“Luckily for an attacker, the FortiWLM has very verbose logs – and logs the session ID of all authenticated users. Abusing the above arbitrary log file read, an attacker can now obtain the session ID of a user and login and also abuse authenticated endpoints.”
The flaw affects FortiWLM versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4.
Despite the researcher’s public warning, the lack of a CVE ID (at the time) and a security bulletin meant that users were unaware of the risk and needed to upgrade to a safe version.
According to the security bulletin Fortinet published yesterday, on December 18, 2024, CVE-2023-34990 was fixed in FortiWLM versions 8.6.6 and 8.5.5, released at the end of September 2023.
CVE-2023-34990 was a zero-day vulnerability for roughly four months, with FortiWLM users first learning about it 10 months after its discovery in Hanley’s writeup. However, it took Fortinet an additional 9 months to release a public security bulletin.
Given its deployment in critical environments, FortiWLM can be a valuable target for attackers, as compromising it remotely could lead to network-wide disruptions and sensitive data exposure.
Therefore, it is strongly advised that FortiWLM admins apply all available updates as they become available.