Cyber Resilience

CVE-2023-33308

Critical

Published: 26 July 2023

Published
26 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0760 92.0th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33308 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A stack-based buffer overflow vulnerability exists in Fortinet FortiOS versions 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3, as well as FortiProxy versions 7.0.0 through 7.0.9 and 7.2.0 through 7.2.2. The flaw, tracked under CWE-121 and CWE-787, is triggered when specially crafted packets reach proxy policies or firewall policies configured for proxy mode with deep or full packet inspection enabled.

An unauthenticated remote attacker can send malicious packets over the network to exploit the issue, achieving arbitrary code or command execution with no user interaction required. The vulnerability carries a CVSS v3.1 score of 9.8, reflecting its critical severity due to network accessibility and full impact on confidentiality, integrity, and availability.

The vendor advisory FG-IR-23-183, published on the FortiGuard PSIRT site, provides official details and should be consulted for mitigation steps such as applying available patches or configuration changes. The associated EPSS score has remained stable at 0.0760 with no observed increase following disclosure.

EU & UK References

Vulnerability details

A stack-based overflow vulnerability [CWE-124] in Fortinet FortiOS version 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3 and FortiProxy version 7.0.0 through 7.0.9 and 7.2.0 through 7.2.2 allows a remote unauthenticated attacker to execute arbitrary code or command via crafted packets…

more

reaching proxy policies or firewall policies with proxy mode alongside deep or full packet inspection.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortiproxy
7.2.0, 7.2.1, 7.2.2 · 7.0.0 — 7.0.9
fortinet
fortios
7.0.0 — 7.0.10 · 7.2.0 — 7.2.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References