Rule History

alert tcp any any -> $HOME_NET 541 (msg:"ET EXPLOIT Fortinet FGFM Arbitrary Code Execution via Externally-Controlled Format String (CVE-2024-23113)"; flow:established,to_server; content:"|36 e0 11 00|"; startswith; content:"reply|20|200|0d 0a|"; fast_pattern; distance:4; content:"request|3d|auth|0d 0a|"; pcre:"/\x0d\x0a(authip|fmg_fqdn|mgmtip)\x3d[^\x0d\x0a]*?(?:\x25(?:(?:d|ul?|x|s|c|h?(?:n|p))|\d|\x2a|\x2e|\x5c?\x24)+)+/"; reference:url,labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/; reference:cve,2024-23113; classtype:attempted-admin; sid:2056730; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_10_18, cve CVE_2024_23113, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_10_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)