Skip to main content
Mallory
Back to vulnerabilities
CriticalPublic exploit

FortiSIEM phMonitor Second-Order Command Injection

IdentifiersCVE-2024-23108CWE-78· Improper Neutralization of Special…

CVE-2024-23108 is a critical OS command injection vulnerability in Fortinet FortiSIEM, specifically affecting the FortiSIEM supervisor/phMonitor attack surface. The issue is described as a patch bypass or variant of CVE-2023-34992 and has been characterized as a second-order command injection in the phMonitor service. According to the provided content, exploitation is achieved by sending crafted API requests to exposed FortiSIEM functionality, ultimately causing attacker-controlled input to reach OS command execution paths. Technical reporting in the supplied material states the vulnerable flow involves phMonitor handling a storage-related request that invokes datastore.py and then an NFS test module, where user-influenced input is incorporated into an os.system() call. Successful exploitation allows remote unauthenticated command execution as root on affected FortiSIEM appliances.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A remote unauthenticated attacker can execute unauthorized OS commands on the affected FortiSIEM system as root. This can result in full appliance compromise, including arbitrary code execution, persistence, credential and configuration access, log tampering, deployment of additional payloads, and use of the compromised FortiSIEM instance as an initial access point for broader intrusion activity.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict network exposure to the vulnerable FortiSIEM management/phMonitor/API surface so untrusted networks cannot reach it. Limit access to the relevant service ports to trusted administrative hosts only, segment the appliance, and monitor FortiSIEM logs for suspicious storage/API/phMonitor activity and failed command strings associated with datastore.py or related handlers. Because the content contains conflicting port references, the exact exposed service port should be validated against the deployed version and vendor guidance.

Remediation

Patch, then assume compromise.

Apply Fortinet fixes for CVE-2024-23108 by upgrading FortiSIEM to a fixed release. The provided content states Fortinet indicated fixes in or above FortiSIEM 7.1.2, and upcoming/fixed releases including 7.2.0+, 7.0.3+, 6.7.9+, 6.6.5+, 6.5.3+, and 6.4.4+, depending on branch. Follow Fortinet advisory FG-IR-23-130 and use the vendor-supported upgrade path for the deployed version.
PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 2 / 2 TOTALView more in app
CVE-2024-23108MaturityPoCVerified exploit

This repository contains a proof-of-concept (POC) exploit for CVE-2024-23108, a command injection vulnerability in Fortinet FortiSIEM appliances. The main file, CVE-2024-23108.py, is a Python script that connects to the Phoenix Monitor service (default port 7900) over SSL and sends a crafted XML payload. The payload injects an arbitrary shell command into the 'mount_point' field, exploiting the vulnerability to execute the command as root on the target system. The script supports targeting a single IP or a list of IPs and provides colored output for success and error messages. The README.md provides usage instructions, background, and references. The exploit is operational as a POC, requiring the attacker to specify the command to execute and the target(s). No hardcoded payloads are present; the exploit is interactive and flexible. The main attack vector is network-based, targeting the Phoenix Monitor service on FortiSIEM appliances.

hitemDisclosed May 28, 2024pythonmarkdownnetwork
CVE-2024-23108MaturityPoCVerified exploit

This repository contains a proof-of-concept exploit for CVE-2024-23108, a 2nd order unauthenticated command injection vulnerability in Fortinet FortiSIEM appliances. The main file, CVE-2024-23108.py, is a Python script that crafts a malicious XML payload containing an attacker-supplied command and sends it over an SSL/TLS connection to the Phoenix Monitor service (default port 7900) on the target system. The exploit allows for blind command execution as root. The script takes command-line arguments for the target IP, port, and the command to execute. The README provides usage instructions and background information. No hardcoded external endpoints are present, but the exploit targets a network service on the victim appliance. The repository is structured simply, with one exploit script and a README.

horizon3aiDisclosed May 20, 2024pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
FortinetFortisiemapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app
rescana blogNews
Jan 19, 2026
Critical Fortinet FortiSIEM Vulnerability CVE-2024-23108 Actively Exploited: Risks, Attack Analysis, and Mitigation Steps

An unauthenticated command injection vulnerability in Fortinet FortiSIEM's phMonitor service (TCP/8014) that enables remote attackers to execute arbitrary commands as root, leading to full system compromise.

Read more
dark readingNews
Jan 16, 2026
More Problems for Fortinet: Critical FortiSIEM Flaw Exploited

A previously identified maximum-severity FortiSIEM vulnerability associated with the phMonitor attack surface (mentioned as historical context).

Read more
bleeping computerNews
Jan 14, 2026
Exploit code public for critical FortiSIEM command injection flaw

A previously disclosed FortiSIEM vulnerability referenced as part of a history of phMonitor service issues; specific impact details are not provided in the content.

Read more
cyber security newsNews
Jan 14, 2026
Critical FortiSIEM Vulnerability Enable Full RCE and Root Compromise

A previously disclosed second-order injection vulnerability in FortiSIEM.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware4

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-23108
NVD
nvd.nist.gov/vuln/detail/CVE-2024-23108
MITRE CWE · CWE-78
Improper Neutralization of Special Elements…
Vendor Advisory
fortiguard.com/psirt/FG-IR-23-130
github.com
github.com/horizon3ai/CVE-2024-23108