Insufficient Data Verification in Fortinet FortiOS and FortiProxy SSL-VPN
CVE-2023-45586

4.7MEDIUM

Key Information:

Vendor: Fortinet
Status: Fortiproxy; FortiOS
Vendor: CVE Published:; 14 May 2024

Summary

An insufficient verification of data authenticity vulnerability in Fortinet's FortiOS and FortiProxy SSL-VPN tunnel modes permits an authenticated user to spoof the IP address of another user. This occurs through the utilization of crafted network packets, allowing for potentially undetected unauthorized access to systems within the same network scope. Versions affected include FortiOS from 7.4.0 to 7.4.1, 7.2.0 to 7.2.7, and prior to 7.0.12, alongside FortiProxy in similar versions. Organizations should assess and apply available security measures.

Affected Version(s)

FortiOS 7.4.0 <= 7.4.1

FortiOS 7.2.0 <= 7.2.7

FortiOS 7.0.0 <= 7.0.12

References

https://fortiguard.com/psirt/FG-IR-23-225

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
Oct 9, 2023