CVE-2024-23113

Name of the Vulnerable Software and Affected Versions Fortinet FortiOS versions 7.0.0 through 7.0.13 Fortinet FortiOS versions 7.2.0 through 7.2.6 Fortinet FortiOS versions 7.4.0 through 7.4.2 FortiProxy versions 7.0.0 through 7.0.14 FortiProxy versions 7.2.0 through 7.2.8 FortiProxy versions 7.4.0 through 7.4.2 FortiPAM versions 1.0.0 through 1.0.3 FortiPAM versions 1.1.0 through 1.1.2 FortiPAM version 1.2.0 FortiSwitchManager versions 7.0.0 through 7.0.3 FortiSwitchManager versions 7.2.0 through 7.2.3

Description A use of externally-controlled format string vulnerability in Fortinet FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. This issue affects multiple Fortinet products, including FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. The vulnerability is being actively exploited in the wild, with over 87,000 devices potentially at risk. It is recommended to upgrade to patched versions immediately to mitigate the risk of remote code execution attacks.

Recommendations Upgrade Fortinet FortiOS versions 7.0.0 through 7.0.13 to version 7.0.14 or above Upgrade Fortinet FortiOS versions 7.2.0 through 7.2.6 to version 7.2.7 or above Upgrade Fortinet FortiOS versions 7.4.0 through 7.4.2 to version 7.4.3 or above Upgrade FortiProxy versions 7.0.0 through 7.0.14 to a patched version Upgrade FortiProxy versions 7.2.0 through 7.2.8 to a patched version Upgrade FortiProxy versions 7.4.0 through 7.4.2 to a patched version Upgrade FortiPAM versions 1.0.0 through 1.0.3 to a patched version Upgrade FortiPAM versions 1.1.0 through 1.1.2 to a patched version Upgrade FortiPAM version 1.2.0 to a patched version Upgrade FortiSwitchManager versions 7.0.0 through 7.0.3 to a patched version Upgrade FortiSwitchManager versions 7.2.0 through 7.2.3 to a patched version As a temporary workaround, consider restricting access to the vulnerable module or function until a patch is available.