CVE-2023-37937
Published: 14 January 2025
Description
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.7 and 6.4.0 through 6.4.13 and 6.2.0 through 6.2.7 and 6.0.0 through 6.0.7 allows attacker to execute unauthorized code or commands via the FortiSwitch CLI.
Security Summary
CVE-2023-37937 is an OS command injection vulnerability (CWE-78) affecting Fortinet FortiSwitch versions 7.4.0, 7.2.0 through 7.2.5, 7.0.0 through 7.0.7, 6.4.0 through 6.4.13, 6.2.0 through 6.2.7, and 6.0.0 through 6.0.7. The issue arises from improper neutralization of special elements used in OS commands, enabling attackers to execute unauthorized code or commands via the FortiSwitch CLI. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-14.
The vulnerability can be exploited by an attacker with local access to the FortiSwitch and low privileges. Such an attacker can use the CLI to inject and execute arbitrary OS commands, potentially leading to high impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service.
Mitigation details, including patches, are outlined in the Fortinet PSIRT advisory at https://fortiguard.com/psirt/FG-IR-23-258.
Details
- CWE(s)