CVE-2024-23113 Overview
CVE-2024-23113 is a format string vulnerability [CWE-134] affecting multiple Fortinet products including FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. The flaw exists in the fgfmd daemon, which processes communications between FortiGate devices and FortiManager. An unauthenticated remote attacker can send specially crafted packets containing externally-controlled format string specifiers to execute arbitrary code or commands on affected devices. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
Critical Impact
Unauthenticated remote attackers can execute arbitrary code on affected Fortinet appliances over the network with no user interaction required.
Affected Products
- Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13
- Fortinet FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14
- Fortinet FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3 and FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3
Discovery Timeline
- 2024-02-15 - CVE-2024-23113 published to NVD alongside Fortinet advisory FG-IR-24-029
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2024-23113
Vulnerability Analysis
The vulnerability resides in the FortiGate to FortiManager (FGFM) protocol handler implemented by the fgfmd daemon. The daemon accepts data from a remote source and passes it as a format string argument to a logging or formatting function without sanitization. Format string flaws [CWE-134] permit attackers to supply conversion specifiers such as %s, %n, or %x. These specifiers cause the function to read from or write to memory locations the attacker influences.
Exploitation of this class of vulnerability typically enables arbitrary memory reads, controlled memory writes, and ultimately code execution in the context of the vulnerable daemon. Because fgfmd runs with elevated privileges and processes network input, successful exploitation grants attacker control over the appliance.
Root Cause
The root cause is improper handling of externally-controlled input passed as the format argument to a printf-family function. Developer-supplied format strings must remain constant. When attacker-controlled data reaches the format parameter, the C library interprets embedded specifiers and operates on adjacent stack data.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker reaches the FGFM service exposed by vulnerable appliances and sends a crafted packet containing format specifiers. The service parses the input, triggering the format string evaluation and leading to code or command execution. Refer to the FortiGuard Security Advisory FG-IR-24-029 for protocol-level details.
Detection Methods for CVE-2024-23113
Indicators of Compromise
- Unexpected outbound connections initiated by FortiGate, FortiProxy, FortiPAM, or FortiSwitchManager appliances to unknown hosts
- Anomalous FGFM protocol traffic on TCP port 541 from untrusted source addresses
- New or modified administrative accounts on Fortinet management interfaces without an authorized change record
- Crashes or restarts of the fgfmd process recorded in system event logs
Detection Strategies
- Inspect FGFM traffic for format specifier sequences such as %s, %n, or %x embedded in protocol fields
- Compare current Fortinet device firmware against the fixed versions listed in advisory FG-IR-24-029
- Correlate authentication, configuration change, and network connection events on Fortinet appliances to identify post-exploitation activity
Monitoring Recommendations
- Forward Fortinet syslog and FGFM session logs to a centralized SIEM for retention and correlation
- Alert on any inbound connection attempts to TCP 541 from sources outside the documented FortiManager management network
- Monitor for configuration changes, firmware modifications, and new VPN tunnels on Fortinet appliances
How to Mitigate CVE-2024-23113
Immediate Actions Required
- Upgrade FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager to the fixed versions identified in FortiGuard advisory FG-IR-24-029
- Restrict access to the FGFM service so only authorized FortiManager hosts can reach TCP port 541
- Audit appliances for signs of prior exploitation given confirmation by the CISA Known Exploited Vulnerabilities catalog
- Rotate administrative credentials and review configuration changes on any device that was internet-exposed before patching
Patch Information
Fortinet released fixed builds in February 2024. Upgrade FortiOS to 7.4.3 or later, 7.2.7 or later, and 7.0.14 or later. Upgrade FortiProxy to 7.4.3 or later, 7.2.9 or later, and 7.0.15 or later. Upgrade FortiPAM to 1.2.1 or later and FortiSwitchManager to 7.2.4 or 7.0.4 as documented in advisory FG-IR-24-029.
Workarounds
- Remove the fgfm access setting from the management interface configuration when FortiManager is not used
- Apply a local-in-policy that limits inbound connections on TCP 541 to specific trusted FortiManager IP addresses
- Place management interfaces on isolated networks reachable only through bastion hosts or VPN
# Restrict FGFM access to a known FortiManager IP using local-in-policy
config firewall address
edit "fortimanager-mgmt"
set subnet 203.0.113.10 255.255.255.255
next
end
config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "fortimanager-mgmt"
set dstaddr "all"
set action accept
set service "FGFM"
set schedule "always"
next
edit 2
set intf "wan1"
set srcaddr "all"
set dstaddr "all"
set action deny
set service "FGFM"
set schedule "always"
next
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

