CVE-2023-37936

Critical

Published: 14 January 2025

Published

14 January 2025

Modified

31 January 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0100 77.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37936 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Fortinet Fortiswitch. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 22.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of identified flaws, such as patching the hard-coded cryptographic key vulnerability to prevent remote unauthorized code execution.

SC-12 Cryptographic Key Establishment and Management good match

prevent

Requires establishment and management of cryptographic keys without hard-coding, directly mitigating the root cause of this vulnerability.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Provides for vulnerability scanning to identify the hard-coded key flaw in affected FortiSwitch versions, enabling proactive patching.

NVD Description

A use of hard-coded cryptographic key in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.7 and 6.4.0 through 6.4.13 and 6.2.0 through 6.2.7 and 6.0.0 through 6.0.7 allows attacker to execute unauthorized code or commands via…

crafted requests.

Deeper analysisAI

CVE-2023-37936 is a critical vulnerability stemming from the use of a hard-coded cryptographic key in Fortinet FortiSwitch, affecting versions 7.4.0, 7.2.0 through 7.2.5, 7.0.0 through 7.0.7, 6.4.0 through 6.4.13, 6.2.0 through 6.2.7, and 6.0.0 through 6.0.7. Mapped to CWE-321 (Use of Hard-coded Cryptographic Key) and CWE-798 (Use of Hard-coded Credentials), it enables attackers to execute unauthorized code or commands through crafted requests. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

A remote, unauthenticated attacker can exploit this flaw over the network with low complexity and no user interaction required. By leveraging the hard-coded key, the attacker crafts malicious requests to bypass authentication or encryption mechanisms, achieving arbitrary code execution or command injection on the affected FortiSwitch device. This grants high-impact confidentiality, integrity, and availability violations, potentially leading to full control over the switch and lateral movement within the network.

Fortinet has published a detailed advisory at https://fortiguard.com/psirt/FG-IR-23-260, which security practitioners should consult for patch availability, workaround guidance, and affected product confirmation. Upgrading to a patched version is the primary recommended mitigation.

Details

CWE(s): CWE-321 CWE-798

Affected Products

fortinet

fortiswitch

7.4.0 · 6.0.0 — 6.2.8 · 6.4.0 — 6.4.14 · 7.0.0 — 7.0.8

CVEs Like This One

CVE-2023-37937Same product: Fortinet Fortiswitch

CVE-2024-33504Same vendor: Fortinet

CVE-2024-54027Same vendor: Fortinet

CVE-2019-17659Same vendor: Fortinet

CVE-2023-25610Same product: Fortinet Fortiswitch

CVE-2024-27778Same vendor: Fortinet

CVE-2024-48885Same vendor: Fortinet

CVE-2024-52960Same vendor: Fortinet

CVE-2026-22153Same vendor: Fortinet

CVE-2024-45328Same vendor: Fortinet

References

https://fortiguard.com/psirt/FG-IR-23-260
Vendor Advisory · psirt@fortinet.com