CVE-2023-37937

High

Published: 14 January 2025

Published

14 January 2025

Modified

31 January 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0031 53.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37937 is a high-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortiswitch. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 46.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely patching of the OS command injection vulnerability in affected FortiSwitch versions, directly preventing exploitation as outlined in the vendor advisory.

SI-10 Information Input Validation good match

prevent

Information input validation at CLI entry points neutralizes special elements in OS commands, comprehensively addressing the improper neutralization flaw enabling command injection.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability monitoring and scanning identifies the specific CVE-2023-37937 in FortiSwitch firmware, enabling proactive detection and remediation.

NVD Description

An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.7 and 6.4.0 through 6.4.13 and 6.2.0 through 6.2.7 and 6.0.0 through 6.0.7 allows…

attacker to execute unauthorized code or commands via the FortiSwitch CLI.

Deeper analysisAI

CVE-2023-37937 is an OS command injection vulnerability (CWE-78) affecting Fortinet FortiSwitch versions 7.4.0, 7.2.0 through 7.2.5, 7.0.0 through 7.0.7, 6.4.0 through 6.4.13, 6.2.0 through 6.2.7, and 6.0.0 through 6.0.7. The issue arises from improper neutralization of special elements used in OS commands, enabling attackers to execute unauthorized code or commands via the FortiSwitch CLI. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-14.

The vulnerability can be exploited by an attacker with local access to the FortiSwitch and low privileges. Such an attacker can use the CLI to inject and execute arbitrary OS commands, potentially leading to high impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or denial of service.

Mitigation details, including patches, are outlined in the Fortinet PSIRT advisory at https://fortiguard.com/psirt/FG-IR-23-258.

Details

CWE(s): CWE-78

Affected Products

fortinet

fortiswitch

7.4.0 · 6.0.0 — 6.2.8 · 6.4.0 — 6.4.14 · 7.0.0 — 7.0.8

CVEs Like This One

CVE-2023-37936Same product: Fortinet Fortiswitch

CVE-2025-66178Same vendor: Fortinet

CVE-2026-25836Same vendor: Fortinet

CVE-2024-27778Same vendor: Fortinet

CVE-2024-54018Same vendor: Fortinet

CVE-2024-55590Same vendor: Fortinet

CVE-2024-40584Same vendor: Fortinet

CVE-2024-50569Same vendor: Fortinet

CVE-2024-50566Same vendor: Fortinet

CVE-2026-39808Same vendor: Fortinet

References

https://fortiguard.com/psirt/FG-IR-23-258
Vendor Advisory · psirt@fortinet.com