First published: Tue Feb 11 2025(Updated: )
A use of externally-controlled format string vulnerability [CWE-134] in Fortinet FortiOS version 7.4.0 through 7.4.1 and before 7.2.6, FortiProxy version 7.4.0 and before 7.2.7, FortiPAM version 1.1.2 and before 1.0.3, FortiSwitchManager version 7.2.0 through 7.2.2 and before 7.0.2 allows a privileged attacker to execute arbitrary code or commands via specially crafted requests.
Credit: psirt@fortinet.com
Affected Software | Affected Version | How to fix |
---|---|---|
FortiOS | >=7.4.0<=7.4.1<7.2.6 | |
Fortinet FortiProxy | >=7.4.0<7.2.7 | |
FortiGuard FortiPAM | <1.0.3 | |
Fortinet FortiSwitchManager | >=7.2.0<=7.2.2<7.0.2 |
Please upgrade to FortiOS version 7.4.2 or above Please upgrade to FortiOS version 7.2.7 or above Please upgrade to FortiPAM version 1.2.0 or above Please upgrade to FortiSwitchManager version 7.2.3 or above Please upgrade to FortiSwitchManager version 7.0.3 or above Please upgrade to FortiProxy version 7.4.1 or above Please upgrade to FortiProxy version 7.2.8 or above
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-40721 is classified as a high-severity vulnerability due to its potential for privilege escalation.
To mitigate CVE-2023-40721, upgrade Fortinet FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager to the latest patched versions.
CVE-2023-40721 affects FortiOS versions 7.4.0 to 7.4.1 and prior to 7.2.6, FortiProxy versions 7.4.0 and prior to 7.2.7, FortiPAM versions before 1.0.3, and FortiSwitchManager versions 7.2.0 to 7.2.2 and prior to 7.0.2.
CVE-2023-40721 is categorized as a use of externally-controlled format string vulnerability, which can lead to privilege escalation.
Currently, the recommended solution for CVE-2023-40721 is to update to the latest secure versions of the affected Fortinet products, as there are no effective workarounds.