CVE-2023-45584: 
FortiOS vulnerability analysis and mitigation

A double free vulnerability (CVE-2023-45584) was discovered in the administrative interfaces of Fortinet's FortiOS, FortiProxy, and FortiPAM products. The vulnerability was internally discovered and reported by Aaron Li from Fortinet's FortiOS development team, with initial publication on August 12, 2025. The affected systems include specific versions of FortiOS (7.4.0, 7.2.0-7.2.5, 7.0.0-7.0.12, and all 6.4 versions), FortiProxy (7.4.0-7.4.1, 7.2.0-7.2.7, 7.0.0-7.0.13), and FortiPAM (all versions of 1.0 and 1.1) (Fortinet Advisory).

The vulnerability is classified as CWE-415 (Double Free) and affects the GUI component of the affected systems. It has been assigned a CVSS v3.1 base score of 6.3 (Medium severity) by Fortinet, while the NVD assessment rates it at 7.2 (High severity) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD, Fortinet Advisory).

If successfully exploited, this vulnerability could allow a privileged attacker to execute unauthorized code or commands through crafted HTTP or HTTPS requests to the administrative interfaces of the affected systems (Fortinet Advisory).

Fortinet has released patches for all affected products and versions. Users are advised to upgrade to the following versions: FortiOS 7.4.1 or above, FortiOS 7.2.6 or above, FortiOS 7.0.13 or above, FortiProxy 7.4.2 or above, FortiProxy 7.2.8 or above, and FortiProxy 7.0.14 or above. For FortiPAM 1.0 and 1.1 versions, users should migrate to a fixed release. FortiSASE users should note that the issue was remediated in Q3/23 (Fortinet Advisory).