Fortinet Fortiextender Firmware vulnerabilities

7 known vulnerabilities affecting fortinet/fortiextender_firmware.

Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH6MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2025-64153HIGHCVSS 7.2≥ 7.0.0, ≤ 7.0.4≥ 7.2.0, ≤ 7.2.5+2 more2025-12-09
CVE-2025-64153 [HIGH] CWE-78 CVE-2025-64153: A improper neutralization of special elements used in an os command ('os command injection') in Fort A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.6.0 through 7.6.3, FortiExtender 7.4.0 through 7.4.7, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated attacker to execute unauthorized code or commands via a specific HTTP request.
nvd
CVE-2025-46776HIGHCVSS 7.8≥ 7.0.0, < 7.4.8≥ 7.6.0, < 7.6.32025-11-18
CVE-2025-46776 [MEDIUM] CWE-120 CVE-2025-46776: A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet F A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to execute arbitrary code or commands via crafted CLI commands.
nvd
CVE-2025-46775MEDIUMCVSS 5.5≥ 7.0.0, < 7.4.8≥ 7.6.0, < 7.6.32025-11-18
CVE-2025-46775 [MEDIUM] CWE-1295 CVE-2025-46775: A debug messages revealing unnecessary information vulnerability in Fortinet FortiExtender 7.6.0 thr A debug messages revealing unnecessary information vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to obtain administrator credentials via debug log commands.
nvd
CVE-2024-23663HIGHCVSS 8.8≥ 4.1.1, ≤ 4.1.9≥ 4.2.0, ≤ 4.2.6+4 more2024-07-09
CVE-2024-23663 [HIGH] CWE-284 CVE-2024-23663: An improper access control in Fortinet FortiExtender 4.1.1 - 4.1.9, 4.2.0 - 4.2.6, 5.3.2, 7.0.0 - 7. An improper access control in Fortinet FortiExtender 4.1.1 - 4.1.9, 4.2.0 - 4.2.6, 5.3.2, 7.0.0 - 7.0.4, 7.2.0 - 7.2.4 and 7.4.0 - 7.4.2 allows an attacker to create users with elevated privileges via a crafted HTTP request.
nvd
CVE-2022-23447HIGHCVSS 7.5≥ 3.2.1, < 3.2.4≥ 3.3.0, < 3.3.3+5 more2023-07-11
CVE-2022-23447 [HIGH] CWE-22 CVE-2022-23447: An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiExtender management interface 7.0.0 through 7.0.3, 4.2.0 through 4.2.4, 4.1.1 through 4.1.8, 4.0.0 through 4.0.2, 3.3.0 through 3.3.2, 3.2.1 through 3.2.3, 5.3 all versions may allow an unauthenticated and remote attacker to retrieve arbitra
nvd
CVE-2022-27489HIGHCVSS 7.2≥ 3.2.1, < 3.2.4≥ 3.3.0, < 3.3.3+9 more2023-02-16
CVE-2022-27489 [HIGH] CWE-78 CVE-2022-27489: A improper neutralization of special elements used in an os command ('os command injection') in Fort A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.0.0 through 7.0.3, 5.3.2, 4.2.4 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.
nvd
CVE-2021-41016HIGHCVSS 8.8≥ 4.1.1, < 4.1.8≥ 4.2.0, < 4.2.4+1 more2022-02-02
CVE-2021-41016 [HIGH] CWE-78 CVE-2021-41016: A improper neutralization of special elements used in a command ('command injection') in Fortinet Fo A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiExtender version 7.0.1 and below, 4.2.3 and below, 4.1.7 and below allows an authenticated attacker to execute privileged shell commands via CLI commands including special characters
nvd