Fortinet Fortiextender vulnerabilities

7 known vulnerabilities affecting fortinet/fortiextender.

Total CVEs

7

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

HIGH6MEDIUM1

Vulnerabilities

Page 1 of 1

CVE-2025-64153HIGHCVSS 7.2≥ 7.6.0, ≤ 7.6.3≥ 7.4.0, ≤ 7.4.7+2 more2025-12-09

CVE-2025-64153 [HIGH] CWE-78 CVE-2025-64153: A improper neutralization of special elements used in an os command ('os command injection') in Fort A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.6.0 through 7.6.3, FortiExtender 7.4.0 through 7.4.7, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated attacker to execute unauthorized code or commands via a specific HTTP request.

CVE-2025-46776HIGHCVSS 7.8≥ 7.6.0, ≤ 7.6.1≥ 7.4.0, ≤ 7.4.6+2 more2025-11-18

CVE-2025-46776 [MEDIUM] CWE-120 CVE-2025-46776: A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet F A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to execute arbitrary code or commands via crafted CLI commands.

CVE-2025-46775MEDIUMCVSS 5.5≥ 7.6.0, ≤ 7.6.1≥ 7.4.0, ≤ 7.4.6+2 more2025-11-18

CVE-2025-46775 [MEDIUM] CWE-1295 CVE-2025-46775: A debug messages revealing unnecessary information vulnerability in Fortinet FortiExtender 7.6.0 thr A debug messages revealing unnecessary information vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to obtain administrator credentials via debug log commands.

CVE-2024-23663HIGHCVSS 8.8≥ 7.4.0, ≤ 7.4.2≥ 7.2.0, ≤ 7.2.4+1 more2024-07-09

CVE-2024-23663 [HIGH] CWE-284 CVE-2024-23663: An improper access control in Fortinet FortiExtender 4.1.1 - 4.1.9, 4.2.0 - 4.2.6, 5.3.2, 7.0.0 - 7. An improper access control in Fortinet FortiExtender 4.1.1 - 4.1.9, 4.2.0 - 4.2.6, 5.3.2, 7.0.0 - 7.0.4, 7.2.0 - 7.2.4 and 7.4.0 - 7.4.2 allows an attacker to create users with elevated privileges via a crafted HTTP request.

CVE-2022-23447HIGHCVSS 7.5≥ 7.0.0, ≤ 7.0.3v5.3.2+5 more2023-07-11

CVE-2022-23447 [HIGH] CWE-22 CVE-2022-23447: An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiExtender management interface 7.0.0 through 7.0.3, 4.2.0 through 4.2.4, 4.1.1 through 4.1.8, 4.0.0 through 4.0.2, 3.3.0 through 3.3.2, 3.2.1 through 3.2.3, 5.3 all versions may allow an unauthenticated and remote attacker to retrieve arbitra

CVE-2022-27489HIGHCVSS 7.2≥ 7.0.0, ≤ 7.0.3v5.3.2+7 more2023-02-16

CVE-2022-27489 [HIGH] CWE-78 CVE-2022-27489: A improper neutralization of special elements used in an os command ('os command injection') in Fort A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.0.0 through 7.0.3, 5.3.2, 4.2.4 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.

CVE-2019-15710HIGHCVSS 7.2v4.1.0 to 4.1.1v4.0.0 and below2019-10-31

CVE-2019-15710 [HIGH] CWE-78 CVE-2019-15710: An OS command injection vulnerability in FortiExtender 4.1.0 to 4.1.1, 4.0.0 and below under CLI adm An OS command injection vulnerability in FortiExtender 4.1.0 to 4.1.1, 4.0.0 and below under CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted "execute date" commands.