CVE-2024-23113

Summary

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiSwitchManager7.2.0 <= 7.2.3affected
FortinetFortiSwitchManager7.0.0 <= 7.0.3affected
FortinetFortiOS7.4.0 <= 7.4.2affected
FortinetFortiOS7.2.0 <= 7.2.6affected
FortinetFortiOS7.0.0 <= 7.0.13affected
FortinetFortiPAM1.2.0affected
FortinetFortiPAM1.1.0 <= 1.1.2affected
FortinetFortiPAM1.0.0 <= 1.0.3affected
FortinetFortiProxy7.4.0 <= 7.4.2affected
FortinetFortiProxy7.2.0 <= 7.2.8affected
FortinetFortiProxy7.0.0 <= 7.0.15affected

Weaknesses

  • CWE-134: Execute unauthorized code or commands

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

References