Cyber Resilience

CVE-2024-23113

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 15 February 2024

Published
15 February 2024
Modified
24 October 2025
KEV Added
09 October 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5438 98.1th percentile
Risk Priority 72 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23113 is a critical-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Fortinet Fortiproxy. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-23113 is a remotely exploitable format-string vulnerability (CWE-134) present in multiple Fortinet products. Affected versions include FortiOS 7.4.0–7.4.2, 7.2.0–7.2.6 and 7.0.0–7.0.13; FortiProxy 7.4.0–7.4.2, 7.2.0–7.2.8 and 7.0.0–7.0.14; FortiPAM 1.2.0, 1.1.0–1.1.2 and 1.0.0–1.0.3; and FortiSwitchManager 7.2.0–7.2.3 and 7.0.0–7.0.3. The flaw permits an attacker to supply a specially crafted packet that triggers unauthorized code or command execution.

An unauthenticated network attacker can send the malicious packet directly to an exposed interface, achieving full control over the affected device with no user interaction or credentials required. The CVSS 3.1 score of 9.8 reflects the combination of network attack vector, low complexity, and complete confidentiality, integrity and availability impact.

Fortinet’s advisory FG-IR-24-029 and the corresponding CISA entry recommend applying the vendor-supplied patches or upgrading to fixed releases; organizations should also restrict management access and monitor for anomalous traffic until remediation is complete.

The vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. Its EPSS score has reached a peak of 0.58 with a current value of 0.54, indicating sustained attacker interest after disclosure.

EU & UK References

Vulnerability details

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager…

more

versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.

CWE(s)
KEV Date Added
09 October 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortiproxy
7.0.0 — 7.0.14 · 7.2.0 — 7.2.8 · 7.4.0 — 7.4.2
fortinet
fortiswitchmanager
7.0.0 — 7.0.3 · 7.2.0 — 7.2.3
fortinet
fortios
7.0.0 — 7.0.13 · 7.2.0 — 7.2.6 · 7.4.0 — 7.4.2
fortinet
fortipam
1.2.0 · 1.0.0 — 1.0.3 · 1.1.0 — 1.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of network packet inputs to block externally-controlled format strings before they reach vulnerable FortiOS/FortiProxy parsing routines.

prevent

Mandates timely application of vendor patches that eliminate the CWE-134 format-string flaw in the listed Fortinet product versions.

prevent

Boundary-protection devices can filter or drop specially crafted packets targeting the affected Fortinet management or proxy services before they reach the vulnerable stack.

References