Executive Summary

A critical vulnerability in Fortinet's FortiSIEM platform, tracked as CVE-2024-23108, has been actively exploited in the wild, posing a severe risk to organizations relying on this security information and event management solution. The flaw, an unauthenticated command injection in the phMonitor component, allows remote attackers to execute arbitrary commands as the root user, leading to full system compromise. Public proof-of-concept (PoC) exploit code is available, and multiple security researchers have confirmed ongoing exploitation. Immediate action is required for all organizations using affected versions of FortiSIEM to prevent potential breaches, data exfiltration, and lateral movement within enterprise networks.

Threat Actor Profile

While no specific advanced persistent threat (APT) group has been definitively linked to the exploitation of CVE-2024-23108 as of this report, the tactics, techniques, and procedures (TTPs) observed align with those used by both financially motivated cybercriminals and state-sponsored actors. Historically, Fortinet appliances have been targeted by groups such as Volt Typhoon (associated with Chinese state interests) and other actors leveraging zero-day vulnerabilities for initial access. The rapid weaponization of this flaw, combined with the availability of PoC code, lowers the barrier for exploitation, making it attractive to a broad spectrum of threat actors, including ransomware operators and cyber espionage groups. The exploitation pattern suggests opportunistic scanning and targeted attacks against high-value sectors, including government, finance, healthcare, and managed security service providers.

Technical Analysis of Malware/TTPs

The vulnerability resides in the phMonitor service of FortiSIEM, which listens on TCP port 8014. Due to improper input validation, attackers can inject arbitrary shell commands into the service by sending specially crafted requests. The exploit does not require authentication, making it highly dangerous. Upon successful exploitation, attackers gain root-level access, enabling them to deploy malware, establish persistent backdoors, exfiltrate sensitive data, and pivot to other systems within the network.

Technical analysis of observed attacks reveals the following TTPs:

Attackers initiate reconnaissance by scanning for exposed FortiSIEM instances with the vulnerable phMonitor service accessible from the internet. Once a target is identified, the attacker sends a malicious payload exploiting the command injection flaw, often leveraging simple curl or netcat commands to deliver the exploit. Post-exploitation, threat actors typically deploy lightweight reverse shells or download additional payloads, such as cryptominers, remote access trojans (RATs), or custom scripts for lateral movement. In some cases, attackers have been observed modifying system binaries or configuration files to maintain persistence and evade detection. The exploitation chain is often automated, with scripts iterating through IP ranges and attempting exploitation en masse.

Exploitation in the Wild

Active exploitation of CVE-2024-23108 was first reported within days of the vulnerability's public disclosure and the release of PoC code by security researchers at Horizon3.ai and others. Multiple honeypots and threat intelligence platforms, including GreyNoise and Shadowserver, have observed a significant uptick in scanning and exploitation attempts targeting FortiSIEM appliances globally. Attackers are leveraging the PoC to gain root access, after which they deploy additional tooling for persistence and further compromise.

Security advisories from Fortinet, as well as independent reports from BleepingComputer and The Hacker News, confirm that exploitation is not theoretical but ongoing. Organizations have reported incidents involving unauthorized access, system modifications, and, in some cases, deployment of ransomware and data theft. The speed and scale of exploitation underscore the criticality of immediate remediation.

Victimology and Targeting

Victims of CVE-2024-23108 exploitation span a wide range of sectors, with a concentration in organizations that rely heavily on FortiSIEM for centralized security monitoring and compliance. High-value targets include financial institutions, healthcare providers, government agencies, telecommunications companies, and managed security service providers (MSSPs). The global footprint of FortiSIEM deployments means that organizations in North America, Europe, Asia-Pacific, and the Middle East have all been affected.

Attackers appear to prioritize organizations with internet-exposed FortiSIEM instances, particularly those with outdated or unpatched versions. The lack of authentication required for exploitation makes any accessible instance a potential target, regardless of organizational size or sector. In several documented cases, exploitation has led to broader network compromise, data exfiltration, and operational disruption.

Mitigation and Countermeasures

Immediate mitigation steps are essential to prevent exploitation of CVE-2024-23108. Organizations should:

Upgrade FortiSIEM to the latest patched version as provided by Fortinet. The vendor has released security updates addressing this vulnerability in versions 6.7.8, 7.0.4, 7.1.2, and later. If immediate patching is not possible, restrict network access to the phMonitor service (TCP port 8014) using firewall rules or network segmentation, ensuring only trusted management hosts can communicate with the service. Monitor system and application logs for signs of exploitation, such as unexpected connections to port 8014, execution of unknown binaries, or modifications to critical system files. Implement endpoint detection and response (EDR) solutions capable of identifying post-exploitation activity, including reverse shells, privilege escalation, and lateral movement. Conduct a thorough review of all FortiSIEM instances for indicators of compromise (IOCs), including unauthorized user accounts, suspicious scheduled tasks, and anomalous outbound network traffic. Consider rotating credentials and reviewing access policies for all systems integrated with FortiSIEM. Engage in proactive threat hunting to identify potential footholds established by attackers prior to patching.

References

• Fortinet PSIRT Advisory FG-IR-24-007

• Horizon3.ai Technical Analysis and PoC

• BleepingComputer: Hackers Exploit Critical Fortinet FortiSIEM Flaw

• The Hacker News: PoC Exploit Released for Critical Fortinet FortiSIEM Vulnerability

• GreyNoise: FortiSIEM Exploitation Activity

• Shadowserver: FortiSIEM Vulnerability Scanning

• NVD: CVE-2024-23108

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their entire digital supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to identify vulnerabilities, prioritize remediation, and ensure compliance with industry standards. For more information about how Rescana can help safeguard your organization against emerging threats, please contact us at ops@rescana.com.