A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via crafted API requests.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.78472.

Exploitation poc

Automatable yes

Technical Impact total

Affected Vendors & Products

Vendors Products
Fortinet Subscribe
Fortisiem Subscribe

Configuration 1 [-]

OR cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.4.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.5.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.5.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:7.0.0:*:*:*:*:*:*:*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

Please upgrade to FortiSIEM version 7.1.2 or above Please upgrade to FortiSIEM version 7.0.3 or above Please upgrade to FortiSIEM version 6.7.9 or above Please upgrade to FortiSIEM version 6.6.4 or above Please upgrade to FortiSIEM version 6.5.3 or above Please upgrade to FortiSIEM version 6.4.4 or above Please upgrade to upcoming FortiSIEM version 7.2.0 or above

Workaround

No workaround given by the vendor.

References
Link Providers
https://fortiguard.com/psirt/FG-IR-23-130 cve-icon cve-icon
History

Wed, 14 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 7.0.0 and 6.7.0 through 6.7.5 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.1 and 6.4.0 through 6.4.2 allows attacker to execute unauthorized code or commands via crafted API requests. A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via crafted API requests.
CPEs cpe:2.3:a:fortinet:fortisiem:6.6.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.6.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.6.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.6.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.7.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.7.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.7.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.7.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.7.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisiem:6.7.5:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:X'}

 cvssV3_1

{'score': 9.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:X/RC:X'}

Wed, 17 Dec 2025 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'Yes', 'Exploitation': 'None', 'Technical Impact': 'Total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.78472}

 epss

{'score': 0.78868}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.77157}

 epss

{'score': 0.78472}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-01-14T13:47:28.151Z

Reserved: 2023-06-09T06:59:37.971Z

Link: CVE-2023-34992

cve-icon Vulnrichment

Updated: 2024-08-02T16:17:04.307Z

cve-icon NVD

Status : Modified

Published: 2023-10-10T17:15:11.607

Modified: 2026-01-14T14:16:07.900

Link: CVE-2023-34992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses