CVE-2023-25610: Fortinet FortiWeb RCE Vulnerability

CVE-2023-25610 Overview

CVE-2023-25610 is a buffer underwrite (CWE-124) vulnerability in the administrative interface of multiple Fortinet products. The flaw allows a remote unauthenticated attacker to execute arbitrary code or commands by sending specifically crafted HTTP requests to the management interface. Affected platforms include Fortinet FortiOS, FortiProxy, and FortiOS-6K7K across multiple versions. The vulnerability carries a CVSS 3.1 base score of 9.8 and an EPSS probability of 17.237% (95th percentile), indicating elevated exploitation likelihood relative to most CVEs.

Critical Impact

Unauthenticated remote attackers can execute arbitrary code or commands on exposed Fortinet administrative interfaces, leading to full device compromise.

Affected Products

• Fortinet FortiOS versions 7.2.0–7.2.3, 7.0.0–7.0.6, 6.4.0–6.4.11, and 6.2.12 and below
• Fortinet FortiProxy versions 7.2.0–7.2.2, 7.0.0–7.0.8, and 2.0.12 and below
• Fortinet FortiOS-6K7K versions 7.0.5, 6.4.0–6.4.10, and 6.2.0–6.2.10 and below

Discovery Timeline

• 2025-03-24 - CVE-2023-25610 published to the National Vulnerability Database (NVD)
• 2025-07-24 - Last updated in NVD database

Technical Details for CVE-2023-25610

Vulnerability Analysis

The vulnerability resides in the administrative HTTP/HTTPS interface used to manage Fortinet appliances. A buffer underwrite condition occurs when the affected code writes data to a memory location that precedes the intended buffer boundary. Attackers exploit this by sending specifically crafted requests that trigger out-of-bounds memory writes during request parsing. Successful exploitation results in arbitrary code or command execution in the context of the management process. Because the bug is reachable without authentication, any device exposing its administrative interface to untrusted networks is at direct risk.

Root Cause

The underlying defect is classified under CWE-124: Buffer Underwrite ('Buffer Underflow'). Improper boundary checks on attacker-controlled input allow the affected component to compute a destination pointer that falls before the start of an allocated buffer. Writes through that pointer corrupt adjacent memory structures used by the management daemon.

Attack Vector

Exploitation requires only network reachability to the administrative interface, no credentials, and no user interaction. A remote attacker delivers a crafted HTTP/HTTPS request to the management port and triggers memory corruption that diverts execution flow. Exposed https://<device>:<mgmt-port>/ endpoints on internet-facing Fortinet appliances are the primary target surface.

No public proof-of-concept is referenced in the vendor advisory. For technical specifics refer to the Fortinet Security Advisory FG-IR-23-001.

Detection Methods for CVE-2023-25610

Indicators of Compromise

• Unexpected reboots, crashes, or core dumps of the httpsd or management process on Fortinet appliances
• New or modified administrative accounts, SSH keys, or configuration changes that cannot be attributed to authorized operators
• Outbound connections from the appliance to unknown external hosts following anomalous management-interface traffic

Detection Strategies

• Inspect HTTP/HTTPS traffic destined for FortiOS, FortiProxy, and FortiOS-6K7K management interfaces for malformed or oversized requests targeting administrative endpoints
• Correlate appliance crash events with preceding inbound requests to the management port to identify exploitation attempts
• Review FortiGuard advisory FG-IR-23-001 for vendor-supplied detection guidance and indicators

Monitoring Recommendations

• Continuously monitor exposure of administrative interfaces (TCP/443, TCP/8443, and custom management ports) on perimeter Fortinet devices
• Forward FortiOS and FortiProxy event, crash, and admin-audit logs to a centralized analytics platform for anomaly detection
• Alert on configuration changes, firmware tampering, and the creation of new administrative users on affected appliances

How to Mitigate CVE-2023-25610

Immediate Actions Required

• Upgrade affected Fortinet appliances to fixed releases as specified in FG-IR-23-001
• Restrict access to the administrative interface to trusted management networks only, and remove internet exposure where possible
• Audit administrative accounts, API keys, and configuration for unauthorized changes that may indicate prior exploitation

Patch Information

Fortinet has published fixed firmware versions in security advisory FG-IR-23-001. Operators should upgrade FortiOS to version 7.2.4, 7.0.7, 6.4.12, or 6.2.13 or later. FortiProxy should be upgraded to 7.2.3, 7.0.9, or 2.0.13 or later. FortiOS-6K7K platforms require the corresponding patched releases listed in the advisory.

Workarounds

• Disable the HTTP/HTTPS administrative interface on affected appliances when an immediate upgrade is not feasible
• Apply trusthost restrictions on administrative accounts to limit management access to known source IP ranges
• Use a dedicated out-of-band management network and place the administrative interface behind a VPN or zero-trust access broker

# Restrict administrative access to trusted management hosts
config system admin
    edit "admin"
        set trusthost1 10.10.0.0 255.255.0.0
        set trusthost2 192.168.50.0 255.255.255.0
    next
end

# Disable HTTP/HTTPS management on untrusted interfaces
config system interface
    edit "wan1"
        unset allowaccess
        set allowaccess ping
    next
end