The recent emergence of a critical vulnerability in Fortinet’s Security Information and Event Management (SIEM) solution, FortiSIEM, has sparked significant concern within the cybersecurity community. Identified as CVE-2024-23108, this vulnerability permits remote code execution (RCE) and has prompted swift action from both security researchers and system administrators.

The diligent efforts of cybersecurity experts, particularly the researchers at Horizon3’s Attack Team, led to the discovery of this vulnerability. Through their investigation, they uncovered a proof-of-concept (PoC) exploit for CVE-2024-23108, enabling unauthorized remote command execution as root on specific FortiSIEM appliances. This exploit poses a grave threat to affected systems, potentially compromising sensitive data and infrastructure.

Fortinet, the vendor responsible for FortiSIEM, initially acknowledged two critical vulnerabilities, CVE-2024-23108 and CVE-2024-23109, both carrying a CVSS score of 10.0, denoting maximum severity. These vulnerabilities impact various versions of FortiSIEM, ranging from 6.4.0 to 7.1.1. Despite Fortinet’s warnings and subsequent release of patches, the severity of the situation prompted Horizon3’s Attack Team to make the PoC exploit available, underscoring the urgency of addressing this vulnerability.

The technical details of CVE-2024-23108 reveal that the flaw resides in the FortiSIEM supervisor, where the improper neutralization of special elements used in OS commands (CWE-78) enables attackers to execute unauthorized commands via crafted API requests. Fortinet’s advisory emphasizes the critical nature of this vulnerability and urges immediate patching to mitigate the risk of exploitation.

The complexity of the situation was exacerbated by Fortinet’s initial response to the vulnerabilities, which led to confusion. Initially, Fortinet denied the existence of the vulnerabilities and attributed them to duplicates of a previously addressed flaw (CVE-2023-34992). However, after further examination, Fortinet’s stance changed. It was determined that CVE-2024-23108 and CVE-2024-23109 are indeed variations of the previously identified vulnerability, emphasizing the significance of comprehensive vulnerability management and response procedures.

To aid system administrators and cybersecurity experts in identifying potential exploitation attempts, Horizon3’s Attack Team shared indicators of compromise (IoCs) for CVE-2024-23108. Monitoring logs for the phMonitor service, specifically entries showing failed commands with “datastore.py nfs test,” can assist in recognizing suspicious activities and potential exploitation attempts.

In summary, the disclosure of the PoC exploit for the Fortinet FortiSIEM RCE bug CVE-2024-23108 underscores the persistent challenges in cybersecurity and highlights the importance of proactive vulnerability management. System administrators are strongly encouraged to apply the most recent patches from Fortinet and to remain vigilant for any indications of compromise. As cyber threats continue to evolve, collaboration among security researchers, vendors, and end-users is increasingly crucial in protecting digital assets and infrastructure from malicious actors.