CVE-2024-23113
CVE-2024-23113
In short
A format string vulnerability in multiple Fortinet products allows attackers to send specially crafted packets that can execute unauthorized code or commands on affected systems. This is critical because it gives attackers complete control over the device without needing special permissions.
Technical detail
Use of externally-controlled format string (CWE-134) in FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager allows remote code execution via malformed packets. The vulnerability requires no authentication and can be triggered by network-accessible services, resulting in arbitrary command execution with system privileges.
Summary generated and translated by AI from the official description.
A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C
Affected products
Fortinet · FortiOSFortinet · FortiPAMFortinet · FortiProxyFortinet · FortiSwitchManagerpublic PoCs found — 6
githubgithub.com/p33d/CVE-2024-23113★ 11githubgithub.com/CheckCve2/CVE-2024-23113★ 1githubgithub.com/puckiestyle/CVE-2024-23113★ 1githubgithub.com/MAVRICK-1/cve-2024-23113-test-env★ 1githubgithub.com/valornode/CVE-2024-23113★ 0githubgithub.com/MinhPham123456789/PoC-CVE-2024-23113★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →