Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-23108

CWE-78 — OS Command Injection9 documents8 sources

Severity

9.8CRITICAL

EPSS

90.4%

top 0.39%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Fortinet Fortisiem

Timeline

PublishedFeb 5

Latest updateMay 28

Description

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via via crafted API requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages2 packages

▶CVEListV5fortinet/fortisiem7.1.0 — 7.1.1+5

▶NVDfortinet/fortisiem6.4.0 — 6.4.2+6

🔴Vulnerability Details

CVEList

CVE-2024-23108: An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute una↗2024-02-05

▶

GHSA

GHSA-chj3-8q43-rcc8: An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7↗2024-02-05

▶

VulnCheck

Fortinet FortiSIEM Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')↗2024

▶

💥Exploits & PoCs

Nuclei

Fortinet FortiSIEM - OS Command Injection

▶

🔍Detection Rules

Suricata

ET EXPLOIT Fortinet FortiSIEM Unauthenticated Command Injection CVE-2024-23108↗2024-05-28

▶

📋Vendor Advisories

Fortinet

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet...↗2023-10-10

▶

🕵️Threat Intelligence

Bleepingcomputer

Exploit released for maximum severity Fortinet RCE bug, patch now↗2024-05-28

▶

Bleepingcomputer

Fortinet warns of new FortiSIEM RCE bugs in confusing disclosure↗2024-02-07

▶