CVE-2023-34990 Scanner

FortiWLM is a wireless LAN management system developed by Fortinet, widely used in enterprise environments to manage, monitor, and secure large-scale wireless networks. It is deployed by network administrators to control access points, analyze wireless performance, and enforce security policies. FortiWLM offers centralized control and reporting features that support scalability and security compliance. It is typically utilized in corporate campuses, educational institutions, and healthcare facilities. The system integrates with other Fortinet products and is accessible via a web-based interface. Its comprehensive management capabilities make it a critical component of enterprise network infrastructure.

The scanner targets a critical directory traversal vulnerability in FortiWLM that allows remote attackers to access arbitrary files on the server. This type of vulnerability occurs when user-supplied input is not properly sanitized, allowing path navigation sequences like `../` to access restricted directories. In this case, the vulnerability can also lead to unauthorized code or command execution. It can be exploited by unauthenticated attackers via crafted HTTP requests. The flaw lies in the `ezrf_lighttpd.cgi` script exposed under the EMS component. The vulnerability has a critical CVSS score of 9.8 due to its ease of exploitation and impact.

The vulnerable endpoint is `ems/cgi-bin/ezrf_lighttpd.cgi` and is accessible without authentication. The vulnerable parameter is `imagename`, which accepts file paths. By including a series of directory traversal sequences (`../../..`), an attacker can retrieve sensitive internal files such as web server logs. The presence of a session ID in the response confirms successful exploitation. This allows an attacker to read confidential logs or configuration files and, depending on the environment, may escalate to remote code execution. The detection logic verifies both the HTTP status code and specific regex content in the response.

When exploited, this vulnerability may allow attackers to gain access to sensitive server files, such as logs, credentials, or configuration data. In environments where logs contain session data or internal commands, this could lead to privilege escalation or full system compromise. Attackers could manipulate or exfiltrate logs, execute unauthorized commands, or maintain persistence within the system. In enterprise settings, this poses a severe threat to data integrity, confidentiality, and availability. Exploitation may also provide a foothold for lateral movement across internal systems.

REFERENCES

• https://fortiguard.com/psirt/FG-IR-23-144