On Tuesday, Fortinet released patches for multiple vulnerabilities in FortiOS and other products, including several that lead to code execution. The most severe, CVE-2024-23110 (CVSS score of 7.4), involves stack-based buffer overflow issues in the command line interpreter, potentially allowing authenticated attackers to execute unauthorized code or commands. This flaw affects FortiOS versions 6.x and 7.x, addressed in updates 6.2.16, 6.4.15, 7.0.14, 7.2.7, and 7.4.3. Another medium-severity vulnerability, CVE-2024-26010, impacts multiple Fortinet products and can be exploited under specific conditions for arbitrary code execution. Additionally, Fortinet fixed several medium-severity stack-based buffer overflow vulnerabilities (CVE-2023-46720) and two issues that could allow JavaScript code execution or decryption of backup files. The updates also address SQL injection flaws in FortiPortal and FortiSOAR Event Auth API, and a mitigation for the TunnelVision attack (CVE-2024-3661) affecting FortiClientWindows (SSL-VPN). While Fortinet reports no known exploitation of these vulnerabilities, threat actors have previously targeted patched flaws in Fortinet products.

Read more: https://www.securityweek.com/fortinet-patches-code-execution-vulnerability-in-fortios/