Cyber Resilience

CVE-2023-37937

High

Published: 14 January 2025

Published
14 January 2025
Modified
31 January 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 55.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37937 is a high-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortiswitch. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 44.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2023-37937 is an OS command injection vulnerability (CWE-78) affecting Fortinet FortiSwitch versions 7.4.0, 7.2.0 through 7.2.5, 7.0.0 through 7.0.7, 6.4.0 through 6.4.13, 6.2.0 through 6.2.7, and 6.0.0 through 6.0.7. The issue arises from improper neutralization of special elements used in OS commands, enabling attackers to execute unauthorized code or commands via the FortiSwitch CLI. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-14.

The vulnerability can be exploited by an attacker with local access to the FortiSwitch and low privileges. Such an attacker can use the CLI to inject and execute arbitrary OS commands, potentially leading to high impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service.

Mitigation details, including patches, are outlined in the Fortinet PSIRT advisory at https://fortiguard.com/psirt/FG-IR-23-258.

EU & UK References

Vulnerability details

An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.7 and 6.4.0 through 6.4.13 and 6.2.0 through 6.2.7 and 6.0.0 through 6.0.7 allows…

more

attacker to execute unauthorized code or commands via the FortiSwitch CLI.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

OS command injection in FortiSwitch CLI directly enables arbitrary Unix shell command execution (T1059.004) by low-privileged local users, resulting in high-impact effects consistent with exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2023-37936Same product: Fortinet Fortiswitch
CVE-2025-53949Same vendor: Fortinet
CVE-2024-55590Same vendor: Fortinet
CVE-2024-54018Same vendor: Fortinet
CVE-2024-50566Same vendor: Fortinet
CVE-2024-52961Same vendor: Fortinet
CVE-2025-58034Same vendor: Fortinet
CVE-2025-64155Same vendor: Fortinet
CVE-2026-39808Same vendor: Fortinet
CVE-2024-48890Same vendor: Fortinet

Affected Assets

fortinet
fortiswitch
7.4.0 · 6.0.0 — 6.2.8 · 6.4.0 — 6.4.14 · 7.0.0 — 7.0.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of the OS command injection vulnerability in affected FortiSwitch versions, directly preventing exploitation as outlined in the vendor advisory.

prevent

Information input validation at CLI entry points neutralizes special elements in OS commands, comprehensively addressing the improper neutralization flaw enabling command injection.

detect

Vulnerability monitoring and scanning identifies the specific CVE-2023-37937 in FortiSwitch firmware, enabling proactive detection and remediation.

References