CVE-2023-37936

CWE-321CWE-798Hard-coded Credentials4 documents4 sources
Severity
9.8CRITICAL
EPSS
1.0%
top 23.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Fortinet Fortiswitch
Timeline
PublishedJan 14

Description

A use of hard-coded cryptographic key in Fortinet FortiSwitch version 7.4.0 and 7.2.0 through 7.2.5 and 7.0.0 through 7.0.7 and 6.4.0 through 6.4.13 and 6.2.0 through 6.2.7 and 6.0.0 through 6.0.7 allows attacker to execute unauthorized code or commands via crafted requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDfortinet/fortiswitch6.0.06.2.8+4
CVEListV5fortinet/fortiswitch7.2.07.2.5+5

🔴Vulnerability Details

2
GHSA
GHSA-2q3h-pxc2-8gqg: A use of hard-coded cryptographic key in Fortinet FortiSwitch version 72025-01-14
CVEList
CVE-2023-37936: A use of hard-coded cryptographic key in Fortinet FortiSwitch version 72025-01-14

📋Vendor Advisories

1
Fortinet
Hardcoded Session Secret Leading to Unauthenticated Remote Code Execution2025-01-14
CVE-2023-37936 (CRITICAL CVSS 9.8) | A use of hard-coded cryptographic k | cvebase.io