The US cybersecurity agency CISA on Wednesday warned that a Fortinet FortiOS flaw patched in February is being exploited in the wild and has added it to its Known Exploited Vulnerabilities (KEV) list along with two Ivanti Cloud Services Appliance (CSA) bugs.

Tracked as CVE-2024-23113 (CVSS score of 9.8), the FortiOS defect is described as an externally-controlled format string issue that could lead to arbitrary code execution.

A remote, unauthenticated attacker could send crafted requests to a vulnerable product to exploit the bug, Fortinet noted in its February 2024 advisory.

The cybersecurity firm has yet to update its advisory to mention exploitation of CVE-2024-23113. SecurityWeek has reached out to the company for information on the attacks and will update this article if it responds.

The flaw was addressed with the release of FortiOS versions 7.4.3, 7.2.7, and 7.0.14. Although the patches have been available for several months, CISA’s fresh warning suggests that not all organizations have applied them, opening the door to malicious exploitation.

The agency urges organizations to apply the vendor’s mitigations or remove the vulnerable products if addressing the security defect is not an option.

Per Binding Operational Directive (BOD) 22-01, federal agencies have until October 30 to identify any vulnerable FortiOS instances within their environments and apply the patches or discontinue the affected products.

The same applies for their Ivanti CSA instances, which are plagued by several vulnerabilities exploited in the wild, including two that CISA added to the KEV catalog on Wednesday.

The flaws, CVE-2024-9379 and CVE-2024-9380, are a medium-severity SQL injection and a high-severity OS command injection affecting the admin web console of Ivanti CSA before version 5.0.2.

According to Ivanti’s advisory, remote, authenticated attackers could exploit these issues to run arbitrary SQL statements or achieve remote code execution, respectively.

Earlier this week, Ivanti revealed that threat actors have been chaining these vulnerabilities with CVE-2024-8963, a critical-severity path traversal defect in CSA that allows attackers to achieve the authentication requirement. 

All three exploited flaws affect Ivanti CSA version 4.6, which was discontinued on September 10, when Ivanti released patches for them. Ivanti advises all CSA users to migrate to version 5.0 of the product, which is supported.

“We have not observed these vulnerabilities being exploited in any version of CSA 5.0,” Ivanti said.

While BOD 22-01 only applies to federal agencies, all organizations should review CISA’s KEV catalog and prioritize mitigations against the listed security defects or remove the vulnerable products from their environments.

Related: Adobe Commerce Flaw Exploited to Compromise Thousands of Sites

Related: Thousands of Devices Wiped Remotely Following Mobile Guardian Hack

Related: Multiple Security Issues Identified in Peloton Fitness Equipment

Related: Millions of Devices Affected by Vulnerabilities Used in Stolen FireEye Tools