CVE-2023-37936

CVE-2023-37936 is a critical vulnerability stemming from the use of a hard-coded cryptographic key in Fortinet FortiSwitch, affecting versions 7.4.0, 7.2.0 through 7.2.5, 7.0.0 through 7.0.7, 6.4.0 through 6.4.13, 6.2.0 through 6.2.7, and 6.0.0 through 6.0.7. Mapped to CWE-321 (Use of Hard-coded Cryptographic Key) and CWE-798 (Use of Hard-coded Credentials), it enables attackers to execute unauthorized code or commands through crafted requests. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

A remote, unauthenticated attacker can exploit this flaw over the network with low complexity and no user interaction required. By leveraging the hard-coded key, the attacker crafts malicious requests to bypass authentication or encryption mechanisms, achieving arbitrary code execution or command injection on the affected FortiSwitch device. This grants high-impact confidentiality, integrity, and availability violations, potentially leading to full control over the switch and lateral movement within the network.

Fortinet has published a detailed advisory at https://fortiguard.com/psirt/FG-IR-23-260, which security practitioners should consult for patch availability, workaround guidance, and affected product confirmation. Upgrading to a patched version is the primary recommended mitigation.