Fortinet FortiOS Vulnerability Allows Unauthorized Code Execution via HTTP Requests
CVE-2023-42789

9.3CRITICAL

Key Information:

Vendor: Fortinet
Status: FortiOS; Fortipam; Fortiproxy
Vendor: CVE Published:; 12 March 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-42789?

An out-of-bounds write vulnerability exists in Fortinet's FortiOS and FortiProxy, affecting several versions across both products. This flaw allows an attacker to craft specific HTTP requests that can lead to the execution of unauthorized commands or code. As a result, potential impacts include compromising the integrity and availability of the affected systems, making timely updates and patching critical for maintaining security.

Affected Version(s)

FortiOS 7.4.0 <= 7.4.1

FortiOS 7.2.0 <= 7.2.5

FortiOS 7.0.0 <= 7.0.12

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-42789
Created by jhonnybonny

References

https://fortiguard.com/psirt/FG-IR-23-328

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Mar 28, 2024
👾
Exploit known to exist
Mar 28, 2024
Vulnerability published
Mar 12, 2024
Vulnerability Reserved
Sep 14, 2023

CVE-2023-42789 Data

JSON