CVE-2023-42784

Medium

Published: 11 March 2025

Published

11 March 2025

Modified

22 July 2025

KEV Added

—

Patch

—

CVSS Score 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0012 30.2th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2023-42784 is an improper handling of syntactically invalid structures (CWE-228) vulnerability affecting Fortinet FortiWeb in versions 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, and 7.0.0 through 7.0.10. The issue stems from inadequate validation of crafted HTTP/S requests, enabling attackers to execute unauthorized code or commands.

Remote attackers require no privileges or user interaction to exploit this over the network (AV:N/PR:N/UI:N), but it demands high attack complexity (AC:H) with unchanged scope (S:U). Successful exploitation yields low impacts across confidentiality, integrity, and availability (C:L/I:L/A:L), for an overall CVSS v3.1 score of 5.6.

Mitigation details, including patches, are outlined in the Fortinet PSIRT advisory FG-IR-23-115 at https://fortiguard.fortinet.com/psirt/FG-IR-23-115.

Details

CWE(s): CWE-228

Affected Products

fortinet

fortiweb

7.0.0 — 7.4.7

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote code/command execution on a public-facing FortiWeb web application firewall via crafted HTTP/S requests with no authentication required, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://fortiguard.fortinet.com/psirt/FG-IR-23-115
Vendor Advisory · psirt@fortinet.com