Fortinet has issued patches to address a critical security vulnerability (CVE-2023-37936, CVSS 9.6) affecting its FortiSwitch product line. The vulnerability could allow remote, unauthenticated attackers to execute arbitrary code on vulnerable devices, potentially leading to complete network compromise.
The vulnerability stems from the use of a hardcoded cryptographic key in the affected FortiSwitch versions. Attackers with knowledge of this key can craft malicious requests to exploit the flaw and gain complete control over the device.
Affected versions:
- FortiSwitch 7.4: 7.4.0
- FortiSwitch 7.2: 7.2.0 through 7.2.5
- FortiSwitch 7.0: 7.0.0 through 7.0.7
- FortiSwitch 6.4: 6.4.0 through 6.4.13
- FortiSwitch 6.2: 6.2.0 through 6.2.7
- FortiSwitch 6.0: 6.0.0 through 6.0.7
Mitigation:
Fortinet has released patches for all supported versions of FortiSwitch. Users are strongly urged to update their devices to the following versions or later:
- FortiSwitch 7.4: 7.4.1 or above
- FortiSwitch 7.2: 7.2.6 or above
- FortiSwitch 7.0: 7.0.8 or above
- FortiSwitch 6.4: 6.4.14 or above
- FortiSwitch 6.2: 6.2.8 or above
FortiSwitch 6.0 has reached its end-of-life, and users are advised to migrate to a fixed release.
Related Posts:
- Cisco releases patch to fix three high security bugs
- CISA & Microsoft Warn of 6 Actively Exploited Zero-Day Vulnerabilities
- Microsoft Releases Emergency Repair Patch for Intel CPU Vulnerabilities
- Microsoft Releases Mitigation Notes for Windows Downfall Vulnerability
