Externally-Controlled Format String Vulnerability in Fortinet FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager
CVE-2023-40721

6.3MEDIUM

Key Information:

Vendor: Fortinet
Status: FortiOS; Fortiswitchmanager; Fortiproxy; Fortipam
Vendor: CVE Published:; 11 February 2025

Summary

A vulnerability exists in Fortinet's FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager allowing privileged attackers to execute arbitrary code or commands. This occurs due to the improper handling of externally-controlled format strings, leaving the affected products susceptible to specially crafted requests that can manipulate program execution.

Affected Version(s)

FortiOS 7.4.0

FortiOS 7.2.0 <= 7.2.5

FortiOS 7.0.0 <= 7.0.13

References

https://fortiguard.com/psirt/FG-IR-23-261

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Aug 21, 2023