CVE-2023-25610

Summary

A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.6, version 6.4.0 through 6.4.11 and version 6.2.12 and below, FortiProxy version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.8, version 2.0.12 and below and FortiOS-6K7K version 7.0.5, version 6.4.0 through 6.4.10 and version 6.2.0 through 6.2.10 and below allows a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiSwitchManager7.2.0 <= 7.2.1affected
FortinetFortiSwitchManager7.0.0 <= 7.0.1affected
FortinetFortiAnalyzer7.2.0affected
FortinetFortiAnalyzer7.0.0 <= 7.0.4affected
FortinetFortiAnalyzer6.4.0 <= 6.4.11affected
FortinetFortiAnalyzer6.2.0 <= 6.2.10affected
FortinetFortiAnalyzer6.0.0 <= 6.0.11affected
FortinetFortiOS-6K7K7.0.5affected
FortinetFortiOS-6K7K6.4.10affected
FortinetFortiOS-6K7K6.4.8affected
FortinetFortiOS-6K7K6.4.6affected
FortinetFortiOS-6K7K6.4.2affected
FortinetFortiOS-6K7K6.2.9 <= 6.2.12affected
FortinetFortiOS-6K7K6.2.6 <= 6.2.7affected
FortinetFortiOS-6K7K6.2.4affected
FortinetFortiOS-6K7K6.0.12 <= 6.0.18affected
FortinetFortiOS-6K7K6.0.10affected
FortinetFortiProxy7.2.0 <= 7.2.2affected
FortinetFortiProxy7.0.0 <= 7.0.8affected
FortinetFortiProxy2.0.0 <= 2.0.14affected
FortinetFortiProxy1.2.0 <= 1.2.13affected
FortinetFortiProxy1.1.0 <= 1.1.6affected
FortinetFortiOS7.2.0 <= 7.2.3affected
FortinetFortiOS7.0.0 <= 7.0.9affected
FortinetFortiOS6.4.0 <= 6.4.11affected
FortinetFortiOS6.2.0 <= 6.2.12affected
FortinetFortiOS6.0.0 <= 6.0.18affected
FortinetFortiOS5.6.0 <= 5.6.14affected
FortinetFortiOS5.4.0 <= 5.4.13affected
FortinetFortiOS5.2.0 <= 5.2.15affected
FortinetFortiOS5.0.0 <= 5.0.14affected
FortinetFortiManager7.2.0affected
FortinetFortiManager7.0.0 <= 7.0.4affected
FortinetFortiManager6.4.0 <= 6.4.11affected
FortinetFortiManager6.2.0 <= 6.2.10affected
FortinetFortiManager6.0.0 <= 6.0.11affected
FortinetFortiWeb7.2.0 <= 7.2.1affected
FortinetFortiWeb7.0.0 <= 7.0.6affected
FortinetFortiWeb6.4.0 <= 6.4.2affected
FortinetFortiWeb6.3.0 <= 6.3.22affected
FortinetFortiWeb6.2.0 <= 6.2.7affected
FortinetFortiWeb6.1.0 <= 6.1.3affected

Weaknesses

  • CWE-124: Execute unauthorized code or commands

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References