Login Sign Up

CVE-2023-50176

7.5 HIGH
Remote Code Execution Authentication Bypass

📋 TL;DR

This session fixation vulnerability in Fortinet FortiOS allows attackers to hijack user sessions via phishing SAML authentication links. Attackers can execute unauthorized code or commands on affected systems. Organizations using FortiOS versions 7.4.0-7.4.3, 7.2.0-7.2.7, or 7.0.0-7.0.13 are affected.

💻 Affected Systems

Products:
  • Fortinet FortiOS
Versions: 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.13
Operating Systems: FortiOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires SAML authentication configuration to be exploitable

📦 What is this software?

Fortios by Fortinet

View all CVEs affecting Fortios →

Fortios by Fortinet

View all CVEs affecting Fortios →

Fortios by Fortinet

View all CVEs affecting Fortios →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative access, data exfiltration, and persistent backdoor installation

🟠

Likely Case

Unauthorized access to network resources, privilege escalation, and lateral movement within the network

🟢

If Mitigated

Limited to unsuccessful authentication attempts with proper monitoring and segmentation

🌐 Internet-Facing: HIGH - Exploitable via phishing links targeting SAML authentication
🏢 Internal Only: MEDIUM - Requires user interaction but can be exploited internally via phishing

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction via phishing link and SAML authentication configuration

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiOS 7.4.4, 7.2.8, 7.0.14 or later

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-23-475

Restart Required: Yes

Instructions:

1. Download latest firmware from Fortinet support portal. 2. Backup configuration. 3. Apply firmware update via CLI or GUI. 4. Reboot device. 5. Verify version with 'get system status'

🔧 Temporary Workarounds

Disable SAML Authentication

all

Temporarily disable SAML authentication if not required

config user saml
edit <saml_server_name>
set status disable
end

Implement URL Filtering

all

Block suspicious authentication URLs via web filtering

config webfilter urlfilter
edit <rule_name>
set action block
set url-pattern <malicious_pattern>
end

🧯 If You Can't Patch

  • Implement strict phishing awareness training for users accessing SAML authentication
  • Enable multi-factor authentication and monitor for unusual authentication patterns

🔍 How to Verify

Check if Vulnerable:

Check FortiOS version with 'get system status' and compare to affected ranges

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify version is 7.4.4+, 7.2.8+, or 7.0.14+ with 'get system status'

📡 Detection & Monitoring

Log Indicators:

  • Unusual SAML authentication patterns
  • Multiple failed authentication attempts from same source
  • Authentication from unexpected geolocations

Network Indicators:

  • Suspicious authentication redirects
  • Unusual outbound connections post-authentication

SIEM Query:

source="fortigate" AND (event_type="authentication" AND result="failed") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-50176
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-384
Published: November 12, 2024
Last Updated: December 12, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50176, you might also want to check these:

CVE-2024-11317 10.0

CVE-2024-11317 is a session fixation vulnerability in ABB ASPECT, NEXUS, and MATRIX series products ...

Same vulnerability type (CWE-384)
CVE-2024-38513 10.0

This vulnerability in GoFiber's session middleware allows attackers to supply their own session_id, ...

Same vulnerability type (CWE-384)
CVE-2021-20151 10.0

This vulnerability allows session hijacking on Trendnet AC2600 routers by exploiting IP-based sessio...

Same vulnerability type (CWE-384)