Fortinet FortiOS Vulnerability Allows Unauthorized Code Execution via HTTP Requests
CVE-2023-42789

9.3CRITICAL

Key Information:

Vendor
Fortinet
Status
FortiOS
Fortipam
Fortiproxy
Vendor
CVE Published:
12 March 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

An out-of-bounds write vulnerability exists in Fortinet's FortiOS and FortiProxy, affecting several versions across both products. This flaw allows an attacker to craft specific HTTP requests that can lead to the execution of unauthorized commands or code. As a result, potential impacts include compromising the integrity and availability of the affected systems, making timely updates and patching critical for maintaining security.

Affected Version(s)

FortiOS 7.4.0 <= 7.4.1

FortiOS 7.2.0 <= 7.2.5

FortiOS 7.0.0 <= 7.0.12

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-42789
Created by jhonnybonny

References

https://fortiguard.com/psirt/FG-IR-23-328

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.