cbcvebase.
CVE-2023-34990
published 2024-12-18

CVE-2023-34990: A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via…

PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.90%
97.6th percentile
A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.

Affected

6 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortiwlm
fortinetfortiwlm>= 8.5.0 < 8.5.58.5.5
fortinetfortiwlm8.5.0 – 8.5.4
fortinetfortiwlm>= 8.6.0 < 8.6.68.6.6
fortinetfortiwlm8.6.0 – 8.6.5

Detection & IOCsextracted from sources · hover to see the quote

url/ems/cgi-bin/ezrf_lighttpd.cgi?op_type=upgradelogs&imagename=../../../../../../../../../data/apps/nms/logs/httpd_error_log
path/ems/cgi-bin/ezrf_lighttpd.cgi
path/data/apps/nms/logs/httpd_error_log
  • Look for path traversal sequences in the 'imagename' parameter of requests to /ems/cgi-bin/ezrf_lighttpd.cgi with op_type=upgradelogs
  • Monitor FortiWLM log files for session ID leakage — logs record session IDs of all authenticated users in plaintext, which attackers harvest post-traversal
  • Use Shodan query 'title:"FortiWLM Login"' to identify exposed FortiWLM instances for asset discovery and attack surface monitoring
  • Check Point IPS signature 'Web Servers Malicious URL Directory Traversal' provides detection coverage for this CVE
  • Exploit is unauthenticated and requires no prior access — alert on any unauthenticated GET requests to ezrf_lighttpd.cgi containing '../' sequences
  • ·Affected versions are FortiWLM 8.6.0–8.6.5 and 8.5.0–8.5.4; fixed in 8.6.6 and 8.5.5. Ensure version checks target this exact range.
  • ·The Nuclei template uses a two-step flow: first confirming the FortiWLM login page is present, then executing the traversal — single-step detections may produce false positives on non-FortiWLM hosts
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.