Fortinet has patched a critical path traversal vulnerability (CVE-2023-34990, CVSS 9.6) in FortiWLM that could allow remote, unauthenticated code execution by reading sensitive files. The flaw affects FortiWLM versions 8.6.0 to 8.6.5 and 8.5.0 to 8.5.4, with fixes available in versions 8.6.6 and 8.5.5. Discovered by Zach Hanley of Horizon3.ai, the issue was reported last year alongside other vulnerabilities, some of which were patched earlier. Fortinet also addressed a high-severity OS command injection flaw (CVE-2024-48889) in FortiManager that could enable remote code execution. There is no evidence of active exploitation for these vulnerabilities.

‍