CVE-2024-23113

What is Fortinet FortiOS?

Fortinet FortiOS is the operating system running on FortiGate next-generation firewalls and unified threat management (UTM) appliances, one of the most widely deployed enterprise security platforms globally. FortiGate appliances serve as the primary network perimeter defense — NGFW, SSL-VPN, SD-WAN, and IPS — for hundreds of thousands of enterprises, government agencies, and critical infrastructure operators. Vulnerabilities in FortiOS that enable unauthenticated RCE are among the most consequential in enterprise security because a compromised FortiGate provides full network visibility and the ability to intercept, modify, or reroute all traffic. Fortinet appliances have been repeatedly targeted by nation-state actors for persistent access to their network perimeter position. This CVE also affects FortiPAM (privileged access management), FortiProxy (web proxy), and FortiWeb (web application firewall).

Overview

CVE-2024-23113 is a format string vulnerability (CWE-134) in multiple Fortinet products — FortiOS, FortiPAM, FortiProxy, and FortiWeb — in the fgfmd (FortiGate Fabric Management) daemon. The format string vulnerability allows a remote unauthenticated attacker to send a specially crafted FGFM protocol packet that causes fgfmd to use attacker-controlled data as a printf-style format string, enabling arbitrary code execution. The vulnerability was published in February 2024 but CISA added it to the KEV catalog in October 2024 — 8 months later — when active exploitation was confirmed against unpatched enterprise deployments.

Affected Versions

Technical Details

The format string vulnerability (CWE-134) is in the fgfmd daemon, which handles FortiGate Fabric Management (FGFM) protocol communications — an inter-device protocol used for FortiGate fabric integration and device management. The daemon processes incoming connection requests that include a "client hello" message containing a certificate or authentication data field. When this field is incorporated into a log or error message format string without being treated as a literal value (i.e., it is passed directly as the format parameter rather than as an argument), an attacker can inject printf-style format specifiers (%n, %x, %s, etc.) that:

• Read arbitrary memory: %s and %x specifiers read from the stack or heap
• Write arbitrary memory: %n writes the number of characters output to an attacker-specified memory address
• Achieve code execution: By overwriting a function pointer, return address, or GOT/PLT entry via %n, the attacker redirects execution to shellcode or ROP gadgets

FGFM port exposure: The FGFM protocol listens on port 541 (TCP) by default, primarily for inter-FortiGate management traffic. The attack is reachable from the network without authentication.

Discovery

Not publicly attributed to a specific researcher at time of advisory publication. Fortinet credited internal discovery in the FG-IR-24-029 advisory.

Exploitation Context

CISA added CVE-2024-23113 to the KEV catalog on October 9, 2024, confirming active exploitation 8 months after the February 2024 patch. Fortinet products are a consistent target for APT actors who exploit unpatched perimeter devices for long-term persistent access. The FGFM port (541) is sometimes exposed externally in multi-site Fortinet fabric configurations, expanding the attack surface beyond just locally accessible networks.

Remediation

1. Apply Fortinet firmware patches per FG-IR-24-029 immediately — upgrade to FortiOS 7.4.3+, 7.2.7+, 7.0.14+, or 6.4.15+. The CISA deadline was October 30, 2024.
2. Use local-out traffic policy or firewall policy to restrict access to the FGFM port (TCP 541) to known FortiManager IP addresses only — if not using FortiGate Fabric, disable or block access to this port entirely.
3. Remove FGFM interface binding from internet-facing interfaces if not required for remote fabric management.
4. Check FortiGate for indicators of compromise: unexpected admin accounts, scheduled tasks, modified routing tables, or new persistent processes in the CLI (diagnose sys process list).
5. Monitor FortiGuard threat intelligence for updated IOCs related to exploitation of this vulnerability.
6. Also patch CVE-2024-21762 (FortiOS SSL VPN out-of-bounds write) and other concurrent Fortinet CVEs — multiple Fortinet vulnerabilities were actively exploited simultaneously in 2024.