CVE-2023-37936 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2023-37936?

CVE-2023-37936 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to execute arbitrary code or commands on affected FortiSwitch devices by exploiting hard-coded cryptographic keys. Attackers can send specially crafted requests to compromise the device. All organizations running vulnerable FortiSwitch firmware versions are affected.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code or commands on affected FortiSwitch devices by exploiting hard-coded cryptographic keys. Attackers can send specially crafted requests to compromise the device. All organizations running vulnerable FortiSwitch firmware versions are affected.

💻 Affected Systems

Products:

Fortinet FortiSwitch

Versions: 7.4.0, 7.2.0-7.2.5, 7.0.0-7.0.7, 6.4.0-6.4.13, 6.2.0-6.2.7, 6.0.0-6.0.7

Operating Systems: FortiOS for FortiSwitch

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations running affected firmware versions are vulnerable. The vulnerability is in the firmware itself, not dependent on specific settings.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to network takeover, data exfiltration, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Unauthorized administrative access to the switch, configuration changes, traffic interception, and potential network disruption.

🟢

If Mitigated

Limited impact if network segmentation isolates switches, access controls restrict management interfaces, and monitoring detects anomalous requests.

🌐 Internet-Facing: HIGH - If management interfaces are exposed to the internet, attackers can directly exploit the vulnerability without internal access.

🏢 Internal Only: HIGH - Even internally, any attacker with network access to the management interface can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The hard-coded key nature makes exploitation straightforward once the key is discovered. No authentication required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to FortiSwitch firmware versions: 7.4.1 or above, 7.2.6 or above, 7.0.8 or above, 6.4.14 or above, 6.2.8 or above, 6.0.8 or above

Vendor Advisory: https://fortiguard.com/psirt/FG-IR-23-260

Restart Required: Yes

Instructions:

1. Download the patched firmware from Fortinet support portal. 2. Backup current configuration. 3. Upload firmware to FortiSwitch via GUI or CLI. 4. Reboot the switch to apply the update. 5. Verify the new firmware version is installed.

🔧 Temporary Workarounds

Restrict Management Interface Access

all

Limit access to FortiSwitch management interfaces to trusted IP addresses only

config system interface
edit <management_interface>
set allowaccess https ssh ping
set trust-ip-list <trusted_ips>
end

Disable Unnecessary Management Protocols

all

Turn off management protocols not required for operations

config system interface
edit <management_interface>
set allowaccess <required_protocols_only>
end

🧯 If You Can't Patch

Isolate FortiSwitch management interfaces to dedicated VLAN with strict access controls
Implement network monitoring for anomalous requests to switch management interfaces

🔍 How to Verify

Check if Vulnerable:

Check FortiSwitch firmware version via GUI (System > Dashboard) or CLI (get system status)

Check Version:

get system status | grep Version

Verify Fix Applied:

Confirm firmware version is updated to patched versions listed in vendor advisory

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts to switch management interface
Configuration changes from unexpected sources
Failed firmware update attempts

Network Indicators:

Unusual traffic patterns to switch management ports (typically 443, 22)
Requests containing crafted payloads to management interfaces

SIEM Query:

source="fortiswitch" AND (event_type="config_change" OR event_type="auth_failure") AND src_ip NOT IN [trusted_ips]

📊 Metadata

CVE ID: CVE-2023-37936

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-321

EPSS Score: 0.23% exploit probability (46th percentile)

Published: January 14, 2025

Last Updated: January 31, 2025

🔗 References

https://fortiguard.com/psirt/FG-IR-23-260 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37936, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fortiswitch by Fortinet

Fortiswitch by Fortinet

Fortiswitch by Fortinet

Fortiswitch by Fortinet

Fortiswitch by Fortinet

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Management Interface Access

Disable Unnecessary Management Protocols

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities