CVE-2024-23108

CRITICAL EXPLOITED RANSOMWARE NUCLEI

Fortinet FortiSIEM - OS Command Injection

Title source: nuclei
STIX 2.1

Exploitation Summary

CVE-2024-23108 has been observed exploited in the wild (reported by VulnCheck KEV), including in ransomware campaigns. EIP tracks 2 public exploits from researchers including horizon3ai, hitem. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2024-23108, demonstrating unauthenticated command injection in Fortinet FortiSIEM via crafted XML payloads sent to the Phoenix Monitor service. The exploit constructs a malicious XML payload with command injection in the mount_point field and sends it over SSL to trigger blind command execution as root.

Description

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via via crafted API requests.

Exploits (2)

nomisec WORKING POC 34 stars
by horizon3ai · remote
https://github.com/horizon3ai/CVE-2024-23108

The repository contains a functional Python exploit for CVE-2024-23108, demonstrating unauthenticated command injection in Fortinet FortiSIEM via crafted XML payloads sent to the Phoenix Monitor service. The exploit constructs a malicious XML payload with command injection in the mount_point field and sends it over SSL to trigger blind command execution as root.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiSIEM
No auth needed
Prerequisites: Network access to the target's Phoenix Monitor service (default port 7900) · SSL/TLS connectivity to the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 5 stars
by hitem · remote
https://github.com/hitem/CVE-2024-23108

This repository contains a functional exploit for CVE-2024-23108, a command injection vulnerability in FortiSIEM appliances. The exploit sends a crafted XML payload to the Phoenix Monitor service on port 7900, allowing blind command execution as root.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FortiSIEM
No auth needed
Prerequisites: Network access to the target's Phoenix Monitor service on port 7900
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Fortinet FortiSIEM - OS Command Injection
CRITICALby 0x_Akoko
Shodan: port:"7900" || http.favicon.hash:"-1341442175" || http.html:"var hst = location.hostname"
FOFA: body="var hst = location.hostname" || icon_hash="-1341442175"

References (2)

Core 2

Scores

CVSS v3 10.0
EPSS 0.7837
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-02-25
Ransomware Use Confirmed
CWE
CWE-78
Status published
Products (9)
fortinet/fortisiem 7.1.0
fortinet/fortisiem 7.1.1
fortinet/fortisiem 6.4.0 - 6.4.2
Fortinet/FortiSIEM 6.4.0 - 6.4.3
Fortinet/FortiSIEM 6.5.0 - 6.5.2
Fortinet/FortiSIEM 6.6.0 - 6.6.3
Fortinet/FortiSIEM 6.7.0 - 6.7.8
Fortinet/FortiSIEM 7.0.0 - 7.0.2
Fortinet/FortiSIEM 7.1.0 - 7.1.1
Published Feb 05, 2024
Tracked Since Feb 18, 2026