Severe Path Traversal Vulnerability in FortiWLM (CVE-2023-34990) Allows Unauthorized Code Execution

ISGroup Cybersecurity

Fortinet FortiWLM, a widely used solution for managing wireless LAN networks, contained a critical path traversal vulnerability (CVE-2023-34990) that allowed attackers to access sensitive log files and, potentially, execute unauthorized commands. The vulnerability, discovered by Zach Hanley of Horizon3.ai, affects FortiWLM versions used in enterprise environments for wireless network management. Since FortiWLM is often deployed in critical infrastructure, this flaw is particularly concerning, as it can be exploited remotely and without authentication, allowing attackers to compromise administrative privileges and gain unauthorized access to systems.

ProductFortinet FortiWLM
Date2024-12-20 14:31:14
Information
  • Trending
  • Fix Available

Technical Summary

CVE-2023-34990 is a critical vulnerability (CVSS 9.8) in FortiWLM that allows unauthenticated attackers to exploit the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint by injecting directory traversal sequences (../) into the imagename parameter. This vulnerability allows attackers to access sensitive log files, including administrator session tokens, which can be used to hijack authenticated sessions and access restricted endpoints.

  • Affected versions:

    • FortiWLM 8.5.0 – 8.5.4
    • FortiWLM 8.6.0 – 8.6.5

  • Exploit mechanism:

    • Attackers construct web requests to bypass input validation.
    • Sensitive logs are exposed, increasing the risk of unauthorized command execution.

  • Timing issues:

    • Disclosed in May 2023 by Zach Hanley of Horizon3.
    • Patch released on December 18, 2024, creating a 19-month window for potential exploitation.

Recommendations

Organizations using vulnerable versions of FortiWLM must immediately take the following measures:

  1. Update to the patched versions (8.5.5, 8.6.6, or later) to eliminate the vulnerability.
  2. Monitor network traffic for signs of exploitation, particularly unauthorized access to logs or attempts at session hijacking.

[Callforaction-THREAT-Footer]