CVE-2023-42789
Summary
| CVE | CVE-2023-42789 |
|---|---|
| State | PUBLISHED |
| Assigner | fortinet |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2024-03-12 15:15:46 UTC |
| Updated | 2026-07-08 13:16:23 UTC |
| Description | A out-of-bounds write vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2.5, FortiOS 7.0.0 through 7.0.12, FortiOS 6.4.0 through 6.4.14, FortiOS 6.2.0 through 6.2.15, FortiProxy 7.4.0, FortiProxy 7.2.0 through 7.2.6, FortiProxy 7.0.0 through 7.0.12, FortiProxy 2.0.0 through 2.0.13, FortiSASE 23.2.b allows attacker to execute unauthorized code or commands via specially crafted HTTP requests. |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.032790000 probability, percentile 0.869650000 (date 2026-07-09)
Problem Types: CWE-787 | CWE-787 Execute unauthorized code or commands
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 9.3 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Fortinet | Fortios | 7.4.0 | All | All | All |
| Operating System | Fortinet | Fortios | 7.4.1 | All | All | All |
| Operating System | Fortinet | Fortios | All | All | All | All |
| Operating System | Fortinet | Fortios | All | All | All | All |
| Operating System | Fortinet | Fortios | All | All | All | All |
| Operating System | Fortinet | Fortios | All | All | All | All |
| Application | Fortinet | Fortiproxy | 7.4.0 | All | All | All |
| Application | Fortinet | Fortiproxy | All | All | All | All |
| Application | Fortinet | Fortiproxy | All | All | All | All |
| Application | Fortinet | Fortiproxy | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Fortinet | FortiProxy | affected 7.4.0 | Not specified |
| CNA | Fortinet | FortiProxy | affected 7.2.0 7.2.6 semver | Not specified |
| CNA | Fortinet | FortiProxy | affected 7.0.0 7.0.12 semver | Not specified |
| CNA | Fortinet | FortiProxy | affected 2.0.0 2.0.13 semver | Not specified |
| CNA | Fortinet | FortiSASE | affected 23.2.b | Not specified |
| CNA | Fortinet | FortiOS | affected 7.4.0 7.4.1 semver | Not specified |
| CNA | Fortinet | FortiOS | affected 7.2.0 7.2.5 semver | Not specified |
| CNA | Fortinet | FortiOS | affected 7.0.0 7.0.12 semver | Not specified |
| CNA | Fortinet | FortiOS | affected 6.4.0 6.4.14 semver | Not specified |
| CNA | Fortinet | FortiOS | affected 6.2.0 6.2.15 semver | Not specified |
| ADP | Fortinet | Fortios | affected 7.4.0 7.4.1 semver | Not specified |
| ADP | Fortinet | Fortios | affected 7.2.0 7.2.5 semver | Not specified |
| ADP | Fortinet | Fortios | affected 7.0.0 7.0.12 semver | Not specified |
| ADP | Fortinet | Fortios | affected 6.4.0 6.4.14 semver | Not specified |
| ADP | Fortinet | Fortios | affected 6.2.0 6.2.15 semver | Not specified |
| ADP | Fortinet | Fortipam | affected 1.1.0 1.1.2 semver | Not specified |
| ADP | Fortinet | Fortipam | affected 1.0.0 1.0.3 semver | Not specified |
| ADP | Fortinet | Fortiproxy | affected 7.2.0 7.2.6 semver | Not specified |
| ADP | Fortinet | Fortiproxy | affected 7.0.0 7.0.12 semver | Not specified |
| ADP | Fortinet | Fortiproxy | affected 2.0.0 2.0.13 semver | Not specified |
| ADP | Fortinet | Fortiproxy | affected 7.4.0 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| fortiguard.com/psirt/FG-IR-23-328 | af854a3a-2127-422b-91ae-364da2661108 | fortiguard.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
Solutions
CNA: Upgrade to FortiProxy version 7.4.1 or above Upgrade to FortiProxy version 7.2.7 or above Upgrade to FortiProxy version 7.0.13 or above Upgrade to FortiProxy version 2.0.14 or above Upgrade to FortiSwitchManager version 7.2.3 or above Upgrade to FortiSwitchManager version 7.0.3 or above Fortinet remediated this issue in FortiSASE version 23.3.b and hence customers do not need to perform any action. Upgrade to FortiOS version 7.4.2 or above Upgrade to FortiOS version 7.2.6 or above Upgrade to FortiOS version 7.0.13 or above Upgrade to FortiOS version 6.4.15 or above Upgrade to FortiOS version 6.2.16 or above Upgrade to FortiPAM version 1.2.0 or above
Legacy QID Mappings
- 44176 Fortinet FortiOS - Out-of-bounds Write in captive portal Execute unauthorized code or commands (FG-IR-23-328)