Executive Summary
Fortinet has recently addressed a critical vulnerability, designated CVE-2023-34990 in its Wireless LAN Manager (FortiWLM) software, which could allow remote, unauthenticated attackers to access sensitive files and potentially gain admin privileges. Exploited via a lack of input validation in log-reading functionality, this vulnerability exposes session IDs that attackers can use to hijack authenticated sessions. CVE-2023-34990, which affects FortiWLM versions 8.5.0 to 8.6.5, has been patched in versions 8.5.5 and 8.6.6 or later. Security researchers warn that chaining CVE-2023-34990 with another vulnerability, CVE-2023-48782, which could enable remote code execution with root access, underscoring the need for immediate updates by Fortinet users.
Community Impact
Retail and hospitality organizations relying on wireless network solutions face heightened risks from this vulnerability. Exploiting FortiWLM could enable attackers to intercept sensitive customer data, disrupt network operations, or hijack admin accounts to carry out further attacks. The exposure of static session IDs per device boot makes these systems particularly vulnerable to session hijacking, potentially leading to unauthorized access and financial losses. As our sectors often handle large volumes of customer data and payment processing, the exploitation of this vulnerability could result in data breaches, operational downtime, and reputational damage, necessitating immediate patching and enhanced network monitoring. RH-ISAC Core Members are encouraged to review the intelligence included in this report, and the original report, linked above.
Analysis
CVE-2023-34990 is a critical path traversal vulnerability in Fortinet’s FortiWLM software that allows remote, unauthenticated attackers to access and read sensitive files via crafted requests to the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint. The flaw arises from insufficient input validation in the imagename parameter, enabling attackers to traverse directories and access log files. These verbose logs often expose static session IDs tied to device boots, which attackers can use to hijack authenticated sessions and gain administrative access.
The severity of this vulnerability is further elevated by its potential chaining with CVE-2023-48782, which allows remote arbitrary code execution in the root context. This makes CVE-2023-34990 not only a standalone threat but also a critical component in broader exploitation scenarios. Despite its high risk, the internet exposure of vulnerable FortiWLM systems appears limited, with only around 15 instances detected in sectors like state and local government, education, and healthcare.
Fortinet has addressed the issue by releasing patches in FortiWLM versions 8.5.5 and 8.6.6 or later. Organizations must act promptly to apply these updates, given the frequent targeting of Fortinet devices by threat actors.
