CVE-2023-48790

High

Published: 11 March 2025

Published

11 March 2025

Modified

22 July 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0081 74.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-48790 is a high-severity CSRF (CWE-352) vulnerability in Fortinet Fortindr. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 25.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms to ensure session authenticity, directly countering CSRF attacks that forge requests using valid user sessions in FortiNDR.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of information inputs, enabling detection and rejection of crafted HTTP GET requests lacking proper CSRF tokens.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely flaw remediation by applying patches for CVE-2023-48790, eliminating the CSRF vulnerability in affected FortiNDR versions.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

T1566.002 Spearphishing Link Initial Access

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.

attack.mitre.org →

Why these techniques?

The CSRF vulnerability enables unauthorized actions when an authenticated user is tricked into clicking a crafted malicious link or accessing a malicious site, directly facilitating exploitation via drive-by compromise, malicious link user execution, and spearphishing links.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

A cross site request forgery vulnerability [CWE-352] in Fortinet FortiNDR version 7.4.0, 7.2.0 through 7.2.1 and 7.1.0 through 7.1.1 and before 7.0.5 may allow a remote unauthenticated attacker to execute unauthorized actions via crafted HTTP GET requests.

Deeper analysisAI

CVE-2023-48790 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting Fortinet FortiNDR in versions 7.4.0, 7.2.0 through 7.2.1, 7.1.0 through 7.1.1, and all versions before 7.0.5. The flaw enables a remote unauthenticated attacker to execute unauthorized actions by tricking users into interacting with crafted HTTP GET requests. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability despite requiring user interaction and high attack complexity.

A remote unauthenticated attacker can exploit this vulnerability by crafting malicious HTTP GET requests that mimic legitimate ones, relying on a victim to access a malicious site or click a link while authenticated to the FortiNDR interface. Successful exploitation requires the user to perform the action unknowingly, potentially allowing the attacker to execute arbitrary unauthorized operations on the targeted system, such as modifying configurations or accessing sensitive data.

For mitigation details, refer to the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-23-353, which provides guidance on patches and workarounds for affected FortiNDR versions.