CVE-2023-41678: 
FortiOS vulnerability analysis and mitigation

A double free vulnerability [CWE-415] was discovered in the FortiOS and FortiPAM HTTPSd daemon. The vulnerability, identified as CVE-2023-41678, was initially published on December 12, 2023. It affects FortiOS versions 7.0.0 through 7.0.5, FortiPAM version 1.0 (all versions), and FortiPAM versions 1.1.0 through 1.1.1. The vulnerability was discovered by Gwendal Guegniaud of Fortinet PSIRT (Fortinet Advisory).

The vulnerability is classified as a double free vulnerability (CWE-415) in the HTTPSd daemon. It has been assigned a CVSSv3 score of 8.3 (High severity), indicating its significant potential impact. The vulnerability allows an authenticated attacker to achieve arbitrary code execution through specifically crafted commands (NVD, Fortinet Advisory).

If successfully exploited, this vulnerability enables an authenticated attacker to execute unauthorized code or commands on the affected systems. Given the high CVSS score and the nature of the vulnerability, it poses a significant risk to system security (Fortinet Advisory).

Fortinet has released patches to address this vulnerability. Users of FortiOS 7.0.0-7.0.5 should upgrade to version 7.0.6 or above. FortiPAM 1.1.0-1.1.1 users should upgrade to version 1.1.2 or above, while FortiPAM 1.0 users should migrate to a fixed release. FortiOS 7.2, FortiOS 6.4, and FortiPAM 1.2 are not affected by this vulnerability (Fortinet Advisory).