Login Sign Up

CVE-2023-36553

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This CVE describes an OS command injection vulnerability in Fortinet FortiSIEM that allows attackers to execute arbitrary commands on affected systems via crafted API requests. The vulnerability affects multiple versions of FortiSIEM across several major releases. Attackers can achieve remote code execution with high privileges.

💻 Affected Systems

Products:
  • Fortinet FortiSIEM
Versions: 5.4.0, 5.3.0 through 5.3.3, 5.2.5 through 5.2.8, 5.2.1 through 5.2.2, 5.1.0 through 5.1.3, 5.0.0 through 5.0.1, 4.10.0, 4.9.0, 4.7.2
Operating Systems: FortiSIEM appliance OS
Default Config Vulnerable: ⚠️ Yes
Notes: All affected versions in default configuration are vulnerable. The vulnerability exists in the API endpoint handling.

📦 What is this software?

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with high privileges, potentially leading to data exfiltration, lateral movement, or deployment of ransomware.

🟠

Likely Case

Remote code execution leading to installation of backdoors, credential theft, or deployment of additional malware on the FortiSIEM system.

🟢

If Mitigated

Limited impact if proper network segmentation, API access controls, and monitoring are in place to detect and block malicious API requests.

🌐 Internet-Facing: HIGH - FortiSIEM systems exposed to the internet are at immediate risk of exploitation via API requests.
🏢 Internal Only: HIGH - Even internally accessible systems are vulnerable to attackers who gain network access or compromise internal hosts.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires API access but does not require authentication. The vulnerability is in API request handling, making exploitation straightforward once the API endpoint is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Fortinet advisory for specific patched versions

Vendor Advisory: https://fortiguard.com/psirt/FG-IR-23-135

Restart Required: Yes

Instructions:

1. Review Fortinet advisory FG-IR-23-135. 2. Identify current FortiSIEM version. 3. Upgrade to patched version as specified in advisory. 4. Restart FortiSIEM services. 5. Verify patch application.

🔧 Temporary Workarounds

Restrict API Access

linux

Limit network access to FortiSIEM API endpoints using firewall rules

iptables -A INPUT -p tcp --dport 443 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

API Rate Limiting

all

Implement rate limiting on API endpoints to detect and block suspicious request patterns

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate FortiSIEM from untrusted networks
  • Deploy web application firewall (WAF) rules to detect and block command injection patterns in API requests

🔍 How to Verify

Check if Vulnerable:

Check FortiSIEM version against affected versions list. Review API access logs for unusual patterns.

Check Version:

ssh admin@fortisiem_ip 'cat /opt/phoenix/config/build.properties | grep version'

Verify Fix Applied:

Verify FortiSIEM version is updated to patched version. Test API endpoints with safe payloads to confirm injection is prevented.

📡 Detection & Monitoring

Log Indicators:

  • Unusual API requests containing shell metacharacters
  • Multiple failed API requests with command injection patterns
  • Unexpected process execution from FortiSIEM services

Network Indicators:

  • Unusual outbound connections from FortiSIEM system
  • Traffic to known malicious IPs from FortiSIEM

SIEM Query:

source="fortisiem" AND ("cmd.exe" OR "bash" OR "sh" OR "powershell" OR pipe_symbols OR semicolons) IN api_request

📊 Metadata

CVE ID: CVE-2023-36553
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: November 14, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36553, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)