Unrated severityNVD Advisory· Published Oct 10, 2023· Updated Dec 16, 2025

CVE-2023-25607

Description

An improper neutralization of special elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78 ] in FortiManager 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions, FortiAnalyzer 7.2.0 through 7.2.2, 7.0.0 through 7.0.7, 6.4.0 through 6.4.11, 6.2 all versions, 6.0 all versions and FortiADC 7.1.0, 7.0.0 through 7.0.3, 6.2 all versions, 6.1 all versions, 6.0 all versions management interface may allow an authenticated attacker with at least READ permissions on system settings to execute arbitrary commands on the underlying shell due to an unsafe usage of the wordexp function.

Affected products

Fortinet/Fortianalyzerllm-fuzzy2 versions
>=6.0 <=7.2.2+ 1 more
- (no CPE)range: >=6.0 <=7.2.2
- (no CPE)range: 7.2.0
Fortinet/Fortimanagerllm-fuzzy2 versions
>=6.0 <=7.2.2+ 1 more
- (no CPE)range: >=6.0 <=7.2.2
- (no CPE)range: 7.2.0
Fortinet/FortiADCllm-fuzzy
Range: >=6.0 <=7.1.0
Fortinet/Fortiadc 200dcpe-rescue
Range: 7.1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

fortiguard.com/psirt/FG-IR-22-352mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000