Citrix and Fortinet Address Critical Security Vulnerabilities

On Tuesday, both Citrix and Fortinet announced fixes for numerous high-severity vulnerabilities in their key products, including Citrix’s NetScaler and Fortinet’s FortiOS software. The updates released address over a dozen security issues, which range from critical flaws to medium- and low-severity concerns affecting these systems.

Citrix resolved a newly discovered high-severity vulnerability (CVE-2024-8534) in both NetScaler ADC and Gateway, describing it as a memory safety flaw that could potentially cause memory corruption or denial of service (DoS). This particular bug impacts appliances configured as gateways with the RDP feature enabled or using an RDP proxy server profile set to gateway mode. Citrix’s security patches are now available for versions 14.1-29.72, 13.1-55.34, and others, though the company warns that some discontinued versions, including both 12.1 and 13.0, are also impacted.

Fortinet similarly issued several patches for various high-severity vulnerabilities, including flaws identified in FortiOS, FortiAnalyzer, and FortiManager. The FortiOS vulnerability (CVE-2023-50176) could allow malicious attackers to hijack user sessions via phishing SAML authentication links, with necessary patches now available for versions 7.4.4, 7.2.8, and 7.0.14. Another significant issue (CVE-2024-23666) in FortiManager and FortiAnalyzer enables authenticated users to execute sensitive operations via crafted and manipulated requests. Updates addressing these vulnerabilities are now available for FortiAnalyzer and FortiManager versions 7.4.3, 7.2.6, and others.

In response to these security patches, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has strongly urged system administrators to promptly apply these essential updates to prevent potential exploitation by threat actors. Full details on these vulnerabilities and patches are available on Citrix and Fortinet’s official security advisories.