FortiOS/FortiProxy 7.x Admin Interface Buffer Underwrite (CVE-2023-25610)
CVE-2023-25610 Published on March 24, 2025
A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.6, version 6.4.0 through 6.4.11 and version 6.2.12 and below, FortiProxy version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.8, version 2.0.12 and below and FortiOS-6K7K version 7.0.5, version 6.4.0 through 6.4.10 and version 6.2.0 through 6.2.10 and below allows a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Vulnerability Analysis
CVE-2023-25610 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a buffer underrun Vulnerability?
The software writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used.
CVE-2023-25610 has been classified to as a buffer underrun vulnerability or weakness.
Products Associated with CVE-2023-25610
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-25610 are published in these products:
Affected Versions
Fortinet FortiSwitchManager:- Version 7.2.0, <= 7.2.1 is affected.
- Version 7.0.0, <= 7.0.1 is affected.
- Version 7.2.0 is affected.
- Version 7.0.0, <= 7.0.4 is affected.
- Version 6.4.0, <= 6.4.11 is affected.
- Version 6.2.0, <= 6.2.10 is affected.
- Version 6.0.0, <= 6.0.11 is affected.
- Version 7.0.5 is affected.
- Version 6.4.10 is affected.
- Version 6.4.8 is affected.
- Version 6.4.6 is affected.
- Version 6.4.2 is affected.
- Version 6.2.9, <= 6.2.12 is affected.
- Version 6.2.6, <= 6.2.7 is affected.
- Version 6.2.4 is affected.
- Version 6.0.12, <= 6.0.18 is affected.
- Version 6.0.10 is affected.
- Version 7.2.0, <= 7.2.2 is affected.
- Version 7.0.0, <= 7.0.8 is affected.
- Version 2.0.0, <= 2.0.14 is affected.
- Version 1.2.0, <= 1.2.13 is affected.
- Version 1.1.0, <= 1.1.6 is affected.
- Version 7.2.0, <= 7.2.3 is affected.
- Version 7.0.0, <= 7.0.9 is affected.
- Version 6.4.0, <= 6.4.11 is affected.
- Version 6.2.0, <= 6.2.12 is affected.
- Version 6.0.0, <= 6.0.18 is affected.
- Version 5.6.0, <= 5.6.14 is affected.
- Version 5.4.0, <= 5.4.13 is affected.
- Version 5.2.0, <= 5.2.15 is affected.
- Version 5.0.0, <= 5.0.14 is affected.
- Version 7.2.0 is affected.
- Version 7.0.0, <= 7.0.4 is affected.
- Version 6.4.0, <= 6.4.11 is affected.
- Version 6.2.0, <= 6.2.10 is affected.
- Version 6.0.0, <= 6.0.11 is affected.
- Version 7.2.0, <= 7.2.1 is affected.
- Version 7.0.0, <= 7.0.6 is affected.
- Version 6.4.0, <= 6.4.2 is affected.
- Version 6.3.0, <= 6.3.22 is affected.
- Version 6.2.0, <= 6.2.7 is affected.
- Version 6.1.0, <= 6.1.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.