Severity
Medium
Analysis Summary
CVE-2024-23113 CVSS:9.8
Fortinet FortiOS could allow a remote attacker to execute arbitrary code on the system, caused by the use of externally-controlled format string in the fgfmd daemon. By sending specially crafted requests, an attacker could exploit this vulnerability to execute arbitrary code or commands on the system.
CVE-2023-47537 CVSS:4.8
FortiOS is vulnerable to a man-in-the-middle attack, caused by improper certificate validation. An attacker could exploit this vulnerability to carry out a man-in-the-middle attack on the communication instance between the FortiOS device and a FortiSwitch instance.
CVE-2023-44253 CVSS:5
Fortinet FortiAnalyzer, FortiAnalyzer-BigData, and FortiManager could allow a remote attacker to obtain sensitive information, caused by an observable response discrepancy. By sending multiple requests, an attacker could exploit this vulnerability to enumerate other adoms and device names, and use this information to launch further attacks against the affected system.
Impact
- Gain Access
- Code Execution
- Information Disclosure
Indicators Of Compromise
CVE
- CVE-2024-21762
Affected Vendors
Fortinet
Affected Products
- Fortinet FortiOS 7.2.0
- Fortinet FortiOS 7.0.0
- Fortinet FortiOS 7.4.0
- Fortinet FortiOS 7.0.13
- Fortinet FortiOS 7.2.6
- Fortinet FortiOS 7.4.2
- Fortinet FortiAnalyzer-BigData 7.2.0
- Fortinet FortiAnalyzer-BigData 7.2.5
- Fortinet FortiAnalyzer-BigData 7.0
- Fortinet FortiAnalyzer-BigData 6.4
- Fortinet FortiAnalyzer-BigData 6.2
- Fortinet FortiManager 7.4.1
- Fortinet FortiManager 6.4
Remediation
Refer to FortiGuard Advisory for patch, upgrade or suggested workaround information.