Is CVE-2024-23113 exploitable?

Yes — CVE-2024-23113 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning it is confirmed exploited in the wild.

Is CVE-2024-23113 a false positive?

No practitioners have marked CVE-2024-23113 a false positive so far (3 verdicts).

How do I remediate CVE-2024-23113?

Practitioners have shared remediation steps for CVE-2024-23113 — see the remediation notes on this page.

CVE-2024-23113

is CVE-2024-23113real, exploitable, or a false positive? Here's the community ground truth.

☆ Watch

Critical · CVSS 9.8EPSS 61.7%CISA KEVCWE-134

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.

References

NVD MITRE CVE.org CISA KEV

Published Feb 15, 2024

Embed this verdict

Markdown

[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2024-23113/badge.svg)](https://www.truepositive.app/cve/CVE-2024-23113)

HTML

<a href="https://www.truepositive.app/cve/CVE-2024-23113"><img src="https://www.truepositive.app/cve/CVE-2024-23113/badge.svg" alt="TruePositive verdict for CVE-2024-23113"></a>

Live badge — updates automatically as the community verdict changes.

Community ground truth

Community verdict

3 verdicts

Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

Pick your verdict — we'll save it right after a quick sign-in.

Community real-world severity: Critical (Critical 3) — CVSS base score 9.8

In line with its CVSS base score.

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

0
Field note · Priya NairCurated
Fortinet Multiple Products Format String Vulnerability — Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb contain a format string vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. Listed in the CISA KEV catalog (added 2024-10-09) — confirmed exploited in the wild, not theoretical. FIRST EPSS puts the chance of exploitation in the next 30 days at ~62%. Treat it as real and prioritize remediation over triage.
0
Remediation · Diego RamírezCurated
Required action for Fortinet Multiple Products: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. CISA set a federal remediation due date of 2024-10-30. After patching, verify the vulnerable path is no longer reachable before closing the finding.

Same weakness — CWE-134.

CVE-2019-1579CVSS 8.1KEVEPSS 39%
Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11-h1 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code.

CVE-2024-23113

Community ground truth

Field notes & remediation

Related CVEs