Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-23113

CVE-2024-23113: Fortinet FortiProxy RCE Vulnerability

CVE-2024-23113 is a remote code execution flaw in Fortinet FortiProxy caused by externally-controlled format strings. Attackers can execute unauthorized commands via crafted packets. This article covers technical details.

Updated:

CVE-2024-23113 Overview

CVE-2024-23113 is a format string vulnerability [CWE-134] affecting multiple Fortinet products including FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. The flaw exists in the fgfmd daemon, which processes communications between FortiGate devices and FortiManager. An unauthenticated remote attacker can send specially crafted packets containing externally-controlled format string specifiers to execute arbitrary code or commands on affected devices. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

Critical Impact

Unauthenticated remote attackers can execute arbitrary code on affected Fortinet appliances over the network with no user interaction required.

Affected Products

  • Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13
  • Fortinet FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14
  • Fortinet FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3 and FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3

Discovery Timeline

  • 2024-02-15 - CVE-2024-23113 published to NVD alongside Fortinet advisory FG-IR-24-029
  • 2025-10-24 - Last updated in NVD database

Technical Details for CVE-2024-23113

Vulnerability Analysis

The vulnerability resides in the FortiGate to FortiManager (FGFM) protocol handler implemented by the fgfmd daemon. The daemon accepts data from a remote source and passes it as a format string argument to a logging or formatting function without sanitization. Format string flaws [CWE-134] permit attackers to supply conversion specifiers such as %s, %n, or %x. These specifiers cause the function to read from or write to memory locations the attacker influences.

Exploitation of this class of vulnerability typically enables arbitrary memory reads, controlled memory writes, and ultimately code execution in the context of the vulnerable daemon. Because fgfmd runs with elevated privileges and processes network input, successful exploitation grants attacker control over the appliance.

Root Cause

The root cause is improper handling of externally-controlled input passed as the format argument to a printf-family function. Developer-supplied format strings must remain constant. When attacker-controlled data reaches the format parameter, the C library interprets embedded specifiers and operates on adjacent stack data.

Attack Vector

The attack vector is network-based and requires no authentication. An attacker reaches the FGFM service exposed by vulnerable appliances and sends a crafted packet containing format specifiers. The service parses the input, triggering the format string evaluation and leading to code or command execution. Refer to the FortiGuard Security Advisory FG-IR-24-029 for protocol-level details.

Detection Methods for CVE-2024-23113

Indicators of Compromise

  • Unexpected outbound connections initiated by FortiGate, FortiProxy, FortiPAM, or FortiSwitchManager appliances to unknown hosts
  • Anomalous FGFM protocol traffic on TCP port 541 from untrusted source addresses
  • New or modified administrative accounts on Fortinet management interfaces without an authorized change record
  • Crashes or restarts of the fgfmd process recorded in system event logs

Detection Strategies

  • Inspect FGFM traffic for format specifier sequences such as %s, %n, or %x embedded in protocol fields
  • Compare current Fortinet device firmware against the fixed versions listed in advisory FG-IR-24-029
  • Correlate authentication, configuration change, and network connection events on Fortinet appliances to identify post-exploitation activity

Monitoring Recommendations

  • Forward Fortinet syslog and FGFM session logs to a centralized SIEM for retention and correlation
  • Alert on any inbound connection attempts to TCP 541 from sources outside the documented FortiManager management network
  • Monitor for configuration changes, firmware modifications, and new VPN tunnels on Fortinet appliances

How to Mitigate CVE-2024-23113

Immediate Actions Required

  • Upgrade FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager to the fixed versions identified in FortiGuard advisory FG-IR-24-029
  • Restrict access to the FGFM service so only authorized FortiManager hosts can reach TCP port 541
  • Audit appliances for signs of prior exploitation given confirmation by the CISA Known Exploited Vulnerabilities catalog
  • Rotate administrative credentials and review configuration changes on any device that was internet-exposed before patching

Patch Information

Fortinet released fixed builds in February 2024. Upgrade FortiOS to 7.4.3 or later, 7.2.7 or later, and 7.0.14 or later. Upgrade FortiProxy to 7.4.3 or later, 7.2.9 or later, and 7.0.15 or later. Upgrade FortiPAM to 1.2.1 or later and FortiSwitchManager to 7.2.4 or 7.0.4 as documented in advisory FG-IR-24-029.

Workarounds

  • Remove the fgfm access setting from the management interface configuration when FortiManager is not used
  • Apply a local-in-policy that limits inbound connections on TCP 541 to specific trusted FortiManager IP addresses
  • Place management interfaces on isolated networks reachable only through bastion hosts or VPN
bash
# Restrict FGFM access to a known FortiManager IP using local-in-policy
config firewall address
  edit "fortimanager-mgmt"
    set subnet 203.0.113.10 255.255.255.255
  next
end

config firewall local-in-policy
  edit 1
    set intf "wan1"
    set srcaddr "fortimanager-mgmt"
    set dstaddr "all"
    set action accept
    set service "FGFM"
    set schedule "always"
  next
  edit 2
    set intf "wan1"
    set srcaddr "all"
    set dstaddr "all"
    set action deny
    set service "FGFM"
    set schedule "always"
  next
end

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.