CVE-2023-37937
Published: 14 January 2025
Summary
CVE-2023-37937 is a high-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortiswitch. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 44.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2023-37937 is an OS command injection vulnerability (CWE-78) affecting Fortinet FortiSwitch versions 7.4.0, 7.2.0 through 7.2.5, 7.0.0 through 7.0.7, 6.4.0 through 6.4.13, 6.2.0 through 6.2.7, and 6.0.0 through 6.0.7. The issue arises from improper neutralization of special elements used in OS commands, enabling attackers to execute unauthorized code or commands via the FortiSwitch CLI. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-14.
The vulnerability can be exploited by an attacker with local access to the FortiSwitch and low privileges. Such an attacker can use the CLI to inject and execute arbitrary OS commands, potentially leading to high impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service.
Mitigation details, including patches, are outlined in the Fortinet PSIRT advisory at https://fortiguard.com/psirt/FG-IR-23-258.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-41790
Vulnerability details
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.7 and 6.4.0 through 6.4.13 and 6.2.0 through 6.2.7 and 6.0.0 through 6.0.7 allows…
more
attacker to execute unauthorized code or commands via the FortiSwitch CLI.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in FortiSwitch CLI directly enables arbitrary Unix shell command execution (T1059.004) by low-privileged local users, resulting in high-impact effects consistent with exploitation for privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely patching of the OS command injection vulnerability in affected FortiSwitch versions, directly preventing exploitation as outlined in the vendor advisory.
Information input validation at CLI entry points neutralizes special elements in OS commands, comprehensively addressing the improper neutralization flaw enabling command injection.
Vulnerability monitoring and scanning identifies the specific CVE-2023-37937 in FortiSwitch firmware, enabling proactive detection and remediation.