Cyber Resilience

CVE-2023-37931

High

Published: 14 January 2025

Published
14 January 2025
Modified
22 July 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0059 69.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37931 is a high-severity SQL Injection (CWE-89) vulnerability in Fortinet Fortivoice. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-37931 is a SQL injection vulnerability (CWE-89) in FortiVoice Enterprise versions 7.0.0 through 7.0.1 and before 6.4.8. The flaw stems from improper neutralization of special elements used in an SQL command, allowing an authenticated attacker to execute a blind SQL injection attack by sending crafted HTTP or HTTPS requests. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An attacker requires low-privilege authenticated access (PR:L) to exploit the vulnerability over the network (AV:N) with low attack complexity and no user interaction. Exploitation enables a blind SQL injection, potentially allowing the attacker to extract sensitive data, modify database contents, or disrupt system availability, achieving high levels of confidentiality, integrity, and availability impact.

The FortiGuard PSIRT advisory FG-IR-23-220 provides details on mitigation and patches; security practitioners should consult https://fortiguard.com/psirt/FG-IR-23-220 for upgrade guidance and remediation steps.

EU & UK References

Vulnerability details

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-88] in FortiVoice Entreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to perform a blind sql injection attack via sending crafted HTTP…

more

or HTTPS requests

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a network-accessible web application (FortiVoice Enterprise) directly enables exploitation of a public-facing service for data access/modification or availability impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-59922Same vendor: Fortinet
CVE-2026-21643Same vendor: Fortinet
CVE-2024-54026Same vendor: Fortinet
CVE-2025-61848Same vendor: Fortinet
CVE-2025-49784Same vendor: Fortinet
CVE-2026-39815Same vendor: Fortinet
CVE-2022-29059Same vendor: Fortinet
CVE-2025-25257Same vendor: Fortinet
CVE-2023-47539Same vendor: Fortinet
CVE-2026-26083Same vendor: Fortinet

Affected Assets

fortinet
fortivoice
6.0.0 — 6.4.9 · 7.0.0 — 7.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the SQL injection flaw in FortiVoice Enterprise by applying vendor patches as specified in the FortiGuard advisory.

prevent

Prevents blind SQL injection by validating and sanitizing special elements in crafted HTTP/HTTPS request inputs before SQL command construction.

detect

Detects exploitation of the SQL injection vulnerability through monitoring of web traffic, database queries, and anomalous system behavior.

References