Fortinet warns about the re-emergence of concerning security vulnerabilities.

A security bulletin has been issued by Fortinet to alert about a high-severity vulnerability in its Fortinet Wireless Manager (FortiWLM) product. This issue, which allows attackers to take control of affected devices remotely, was initially discovered in May 2023 and has been rated with a severity score of 9.8 out of 10. The company recommends that users update their systems immediately, especially if they are using versions prior to the patch released in September 2023.

FortiWLM is a centralized platform that allows for the management, monitoring, and optimization of Fortinet's access points and wireless controllers, commonly used by large enterprises and governmental entities. The vulnerability, identified as CVE-2023-34990, is related to an input validation failure, which exposes systems to reading sensitive log files. According to security researcher Zach Hanley, this means that attackers can access admin session IDs, allowing them to gain access to vulnerable devices.

Although Hanley reported the flaw to Fortinet after its discovery, the company did not publicly address the matter, prompting Hanley to disclose his findings and publish a proof of concept in March 2023. Recently, Fortinet acknowledged the existence of this vulnerability and announced its resolution in a security bulletin, admitting that the vulnerability remained in a "zero-day" status for approximately four months.