CVE-2023-48784: 
FortiOS vulnerability analysis and mitigation

A use of externally-controlled format string vulnerability [CWE-134] was discovered in FortiOS command line interface affecting versions 7.4.1 and below, 7.2.7 and below, 7.0 all versions, and 6.4 all versions. The vulnerability was disclosed on April 9, 2024, and was assigned CVE-2023-48784. The issue affects the CLI component of FortiOS and was discovered by Michael Messner and Benedikt Kühne from Siemens Energy (Fortiguard PSIRT).

The vulnerability is classified as a format string vulnerability (CWE-134) in the FortiOS command line interface. It has been assigned a CVSSv3 base score of 6.1, categorizing it as a medium severity issue. The vulnerability requires local access and high privileges (super-admin profile) to exploit (AttackerKB).

If successfully exploited, this vulnerability allows a local privileged attacker with super-admin profile and CLI access to execute arbitrary code or commands via specially crafted requests (CVE Mitre).

Fortinet has released patches to address this vulnerability. Users should upgrade to the following versions: FortiOS 7.4.2 or above for 7.4 branch, FortiOS 7.2.8 or above for 7.2 branch, and FortiOS 7.0.16 or above for 7.0 branch. For FortiOS 6.4, users should migrate to a fixed release. Fortinet provides an upgrade tool at their documentation site to follow the recommended upgrade path (Fortiguard PSIRT).