CVE-2023-34991
published 2023-11-14CVE-2023-34991: A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
28.78%
97.9th percentile
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 and 8.4.0 through 8.4.2 and 8.3.0 through 8.3.2 and 8.2.2 allows attacker to execute unauthorized code or commands via a crafted http request.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortiwlm | — | — |
| fortinet | fortiwlm | — | — |
| fortinet | fortiwlm | — | — |
| fortinet | fortiwlm | — | — |
| fortinet | fortiwlm | — | — |
| fortinet | fortiwlm | — | — |
| fortinet | fortiwlm | — | — |
| fortinet | fortiwlm | — | — |
| fortinet | fortiwlm | 8.3.0 – 8.3.2 | — |
| fortinet | fortiwlm | 8.4.0 – 8.4.2 | — |
| fortinet | fortiwlm | 8.5.0 – 8.5.4 | — |
| fortinet | fortiwlm | 8.6.0 – 8.6.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/ems/cgi-bin/ezrf_upgrade_images.cgi
commandop_type=editimage
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Fortinet FortiWLM Unauthenticated SQL Injection (CVE-2023-34991)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ems/cgi-bin/ezrf_upgrade_images.cgi"; fast_pattern; content:"op_type=editimage"; content:"imageName|3d|"; content:"description|3d|"; reference:url,www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty; reference:cve,2023-34991; classtype:web-application-activity; sid:2058409; rev:1; metadata:affected_product FortiWLM, attack_target Server, tls_state TLSDecrypt, created_at 2024_12_19, cve CVE_2023_34991, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_12_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests use HTTP GET method targeting /ems/cgi-bin/ezrf_upgrade_images.cgi with query parameters op_type=editimage, imageName=, and description= — all three content matches must be present to indicate a SQLi exploitation attempt.
- →The attack is unauthenticated — no session/auth token is required, so absence of authentication headers should not be used to filter out suspicious requests to this endpoint.
- →MITRE mapping is Initial Access (TA0001) via Exploit Public-Facing Application (T1190); monitor perimeter and internal network segments, including TLS-decrypted traffic.
- →The Snort/Suricata rule (ET sid:2058409) is classified as web-application-activity with Major severity and High confidence; deploy on Perimeter, Internal, and SSLDecrypt sensors.
- ·Affected versions span a wide range (8.2.2, 8.3.0–8.3.2, 8.4.0–8.4.2, 8.5.0–8.5.4, 8.6.0–8.6.5); ensure version-based asset inventory is current before scoping detection coverage. ↗
- ·The Snort rule requires TLS inspection (tls_state TLSDecrypt) to fire on HTTPS traffic; without SSL/TLS decryption the rule will not trigger on encrypted sessions.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Fortinet
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6...
vendor_fortinet·2023-11-14·CVSS 9.8
CVE-2023-34991 [CRITICAL] CWE-89 A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6...
FG-IR-23-142: A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6...
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 and 8.4.0 through 8.4.2 and 8.3.0 through 8.3.2 and 8.2.2 allows attacker to execute unauthorized code or commands via a crafted http request.
CVEs: CVE-2023-34991
CWEs: CWE-89
CVSS: 9.8 (critical)
Affected products: FortiWLM, FortiWlm, Fortinet
GHSA
GHSA-hg7c-7628-52r9: A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8
ghsa_unreviewed·2023-11-14
CVE-2023-34991 [CRITICAL] CWE-89 GHSA-hg7c-7628-52r9: A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 and 8.4.0 through 8.4.2 and 8.3.0 through 8.3.2 and 8.2.2 allows attacker to execute unauthorized code or commands via a crafted http request.
Suricata
ET HUNTING Fortinet FortiWLM Unauthenticated SQL Injection (CVE-2023-34991)
suricata·2024-12-19·CVSS 9.8
CVE-2023-34991 [CRITICAL] ET HUNTING Fortinet FortiWLM Unauthenticated SQL Injection (CVE-2023-34991)
ET HUNTING Fortinet FortiWLM Unauthenticated SQL Injection (CVE-2023-34991)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Fortinet FortiWLM Unauthenticated SQL Injection (CVE-2023-34991)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ems/cgi-bin/ezrf_upgrade_images.cgi"; fast_pattern; content:"op_type=editimage"; content:"imageName|3d|"; content:"description|3d|"; reference:url,www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty; reference:cve,2023-34991; classtype:web-application-activity; sid:2058409; rev:1; metadata:affected_product FortiWLM, attack_target Server, tls_state TLSDecrypt, created_at 2024_12_19, cve CVE_2023_34991, deployment Perimeter, deployment Internal, deployment SSLDecrypt, c
No public exploits indexed.
No writeups or analysis indexed.
2023-11-14
Published