9.8
CRITICAL
CVE-2023-34990
Fortinet FortiWLM Path Traversal Vulnerability
Description

A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.

INFO

Published Date :

Dec. 18, 2024, 1:15 p.m.

Last Modified :

Dec. 18, 2024, 3:15 p.m.

Source :

[email protected]

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
Affected Products

The following products are affected by CVE-2023-34990 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Fortinet fortiwlm
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2023-34990.

URL Resource
https://fortiguard.com/psirt/FG-IR-23-144

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2023-34990 vulnerability anywhere in the article.

  • Cybersecurity News
cShell DDoS Bot Exploits Poorly Managed Linux SSH Servers

AhnLab Security Intelligence Center (ASEC) has uncovered a new strain of DDoS malware called cShell, which specifically targets poorly managed Linux SSH servers. The malware exploits weak credentials ... Read more

Published Date: Dec 20, 2024 (12 hours, 26 minutes ago)
CVE-2022-27595 CVE-2023-34990 CVE-2024-51479 CVE-2024-37144 CVE-2024-37143 CVE-2024-11482 CVE-2024-11481 CVE-2024-48861 CVE-2024-48860 CVE-2023-45590
  • TheCyberThrone
CISA adds BeyondTrust CVE-2024-12356 to its KEV Catalog

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.CVE-2024-12356: Command Injection Vulnerability in BeyondTrust PRA and RSO ... Read more

Published Date: Dec 20, 2024 (12 hours, 42 minutes ago)
CVE-2023-34990 CVE-2024-54677 CVE-2024-50379 CVE-2024-12356 CVE-2024-53677
  • Dark Reading
Fortinet Addresses Unpatched Critical RCE Vector

Source: Konstantin Nechaev via Alamy Stock PhotoNEWS BRIEFFortinet has finally patched a critical security vulnerability in its Wireless LAN Manager (FortiWLM) that could allow unauthenticated sensiti ... Read more

Published Date: Dec 19, 2024 (15 hours, 35 minutes ago)
CVE-2023-34990 CVE-2023-48782
  • BleepingComputer
Fortinet warns of FortiWLM bug giving hackers admin privileges

Fortinet has disclosed a critical vulnerability in Fortinet Wireless Manager (FortiWLM) that allows remote attackers to take over devices by executing unauthorized code or commands through specially c ... Read more

Published Date: Dec 19, 2024 (20 hours, 39 minutes ago)
CVE-2023-34990
  • TheCyberThrone
Fortinet fixes several vulnerabilities including CVE-2023-34990

Fortinet has released patches for vulnerabilities affecting its popular products, including FortiClient VPN, FortiManager, and FortiWLM. These flaws range from password exposure to remote code executi ... Read more

Published Date: Dec 19, 2024 (22 hours, 30 minutes ago)
CVE-2024-50570 CVE-2024-48889 CVE-2023-34990 CVE-2024-54677 CVE-2024-50379 CVE-2024-49112 CVE-2024-53677 CVE-2024-47575
  • security.nl
Kritiek lek in Fortinet Wireless Manager geeft toegang tot admin session tokens

Een kritieke path traversal-kwetsbaarheid in de Fortinet Wireless Manager (FortiWLM) maakt het voor een ongeauthenticeerde aanvaller mogelijk om toegang tot gevoelige bestanden te krijgen. De impact v ... Read more

Published Date: Dec 19, 2024 (1 day, 1 hour ago)
CVE-2023-34990
  • The Hacker News
Fortinet Warns of Critical FortiWLM Flaw That Could Lead to Admin Access Exploits

Vulnerability / Network Security Fortinet has issued an advisory for a now-patched critical security flaw impacting Wireless LAN Manager (FortiWLM) that could lead to disclosure of sensitive informati ... Read more

Published Date: Dec 19, 2024 (1 day, 3 hours ago)
CVE-2024-48889 CVE-2023-34990 CVE-2023-48782

The following table lists the changes that have been made to the CVE-2023-34990 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Dec. 18, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-94
  • New CVE Received by [email protected]

    Dec. 18, 2024

    Action Type Old Value New Value
    Added Description A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-23
    Added Reference https://fortiguard.com/psirt/FG-IR-23-144
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2023-34990 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2023-34990 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: